id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
13845	XSS/XHTML issue for edit-comments.php	brettz95		"Hi,

When viewing edit-comments.php in the admin in application/xhtml+xml mode, I get a well-formedness error which also could indicate a possible XSS vulnerability since it is apparently user content prompting the insertion of invalid markup (in my case a spammer a < symbol inside <a href=""..."").

While I don't have a lot of time to research what the best way to do this would be, line 584 of /wp-includes/comment_template.php has the comment_text() function which is called by line 2075 of /wp-admin/includes/template.php (inside function _wp_comment_row ) which is called in line 402 (and 408) of wp-admin/edit-comments.php when producing <tbody id=""the-comment-list"">.

When I use htmlspecialchars inside the comment_text function, it fixes the problem (at least for this case).

function comment_text() {
	echo apply_filters('comment_text', htmlspecialchars(get_comment_text()) ); // Brett added htmlspecialchars
}

Would appreciate if someone might look into this, thanks..."	defect (bug)	closed	normal	3.1	Security		normal	fixed	reporter-feedback