Apostrophe in comment author causes comment to be spammed - esc_html
|Reported by:||tellyworth||Owned by:||markjaquith|
Since  - which added esc_html filtering to many items - comments containing an apostrophe (and possibly other characters) in the author name field are flagged as spam by Wordpress.
The root cause is that esc_html() uses decimal entity encoding, so O'Connor becomes O'Connor. But wp_blacklist_check() regards any comment containing a decimal entity as spam (and worse, does so silently and without any way for the blog administrator to stop it).
- esc_html() should use hex entity encoding, not decimal
- comment_author_name shouldn't use esc_html()
- wp_blacklist_check() shouldn't spam comments containing decimal entities
All three are trivial fixes so I haven't included a patch. I'd favour (1) if only because it eliminates the regression and reverts to the old behaviour.