Changeset 35748 for trunk/src/wp-admin/includes/class-wp-comments-list-table.php

Timestamp:

11/29/2015 02:40:42 AM (10 years ago)

Author:

johnbillion

Message:

In a similar vein to [34133], escape the email address and IP address of comment authors to increase defence in depth.

File:

• trunk/src/wp-admin/includes/class-wp-comments-list-table.php (modified) (2 diffs)

trunk/src/wp-admin/includes/class-wp-comments-list-table.php

@@ -696 +696 @@
 
                 if ( ! empty( $email ) && '@' !== $email ) {
-                    printf( '<a href=\'mailto:%1$s\'>%1$s</a><br />', $email );
+                    printf( '<a href="%1$s">%2$s</a><br />', esc_url( 'mailto:' . $email ), esc_html( $email ) );
                 }
             }
@@ -706 +706 @@
                     $author_ip_url = add_query_arg( 'comment_status', 'spam', $author_ip_url );
                 }
-                printf( '<a href="%s">%s</a>', esc_url( $author_ip_url ), $author_ip );
+                printf( '<a href="%1$s">%2$s</a>', esc_url( $author_ip_url ), esc_html( $author_ip ) );
             }
         }