WordPress.org

Make WordPress Core


Ignore:
Timestamp:
11/29/2015 02:40:42 AM (6 years ago)
Author:
johnbillion
Message:

In a similar vein to [34133], escape the email address and IP address of comment authors to increase defence in depth.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-comments-list-table.php

    r35726 r35748  
    696696
    697697                if ( ! empty( $email ) && '@' !== $email ) {
    698                     printf( '<a href=\'mailto:%1$s\'>%1$s</a><br />', $email );
     698                    printf( '<a href="%1$s">%2$s</a><br />', esc_url( 'mailto:' . $email ), esc_html( $email ) );
    699699                }
    700700            }
     
    706706                    $author_ip_url = add_query_arg( 'comment_status', 'spam', $author_ip_url );
    707707                }
    708                 printf( '<a href="%s">%s</a>', esc_url( $author_ip_url ), $author_ip );
     708                printf( '<a href="%1$s">%2$s</a>', esc_url( $author_ip_url ), esc_html( $author_ip ) );
    709709            }
    710710        }
Note: See TracChangeset for help on using the changeset viewer.