Changeset 35748 for trunk/src/wp-includes/comment-template.php

Timestamp:

11/29/2015 02:40:42 AM (10 years ago)

Author:

johnbillion

Message:

In a similar vein to [34133], escape the email address and IP address of comment authors to increase defence in depth.

File:

• trunk/src/wp-includes/comment-template.php (modified) (2 diffs)

trunk/src/wp-includes/comment-template.php

@@ -185 +185 @@
     $display = ($linktext != '') ? $linktext : $email;
         $return  = $before;
-        $return .= "<a href='mailto:$email'>$display</a>";
+        $return .= sprintf( '<a href="%1$s">%2$s</a>', esc_url( 'mailto:' . $email ), esc_html( $display ) );
         $return .= $after;
         return $return;
@@ -279 +279 @@
  */
 function comment_author_IP( $comment_ID = 0 ) {
-    echo get_comment_author_IP( $comment_ID );
+    echo esc_html( get_comment_author_IP( $comment_ID ) );
 }