Index: wp-admin/comment.php
===================================================================
--- wp-admin/comment.php	(revision 56024)
+++ wp-admin/comment.php	(working copy)
@@ -161,11 +161,11 @@
 					break;
 			}
 			if ( $message ) {
-				echo '<div id="message" class="notice notice-info"><p>' . $message . '</p></div>';
+				echo '<div id="message" class="notice notice-info"><p>' . esc_html( $message ) . '</p></div>';
 			}
 		}
 		?>
-<div id="message" class="notice notice-warning"><p><strong><?php _e( 'Caution:' ); ?></strong> <?php echo $caution_msg; ?></p></div>
+<div id="message" class="notice notice-warning"><p><strong><?php _e( 'Caution:' ); ?></strong> <?php echo esc_html( $caution_msg ); ?></p></div>
 
 <table class="form-table comment-ays">
 <tr>
@@ -195,7 +195,7 @@
 		} else {
 			$post_link = esc_html( get_the_title( $post_id ) );
 		}
-		echo $post_link;
+		echo esc_attr( $post_link );
 
 		if ( $comment->comment_parent ) {
 			$parent      = get_comment( $comment->comment_parent );
@@ -204,7 +204,7 @@
 			printf(
 				/* translators: %s: Comment link. */
 				' | ' . __( 'In reply to %s.' ),
-				'<a href="' . $parent_link . '">' . $name . '</a>'
+				'<a href="' . esc_url( $parent_link ) . '">' . esc_html( $name ) . '</a>'
 			);
 		}
 		?>
@@ -223,9 +223,9 @@
 			get_comment_date( __( 'g:i a' ), $comment )
 		);
 		if ( 'approved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_post_ID ) ) {
-			echo '<a href="' . esc_url( get_comment_link( $comment ) ) . '">' . $submitted . '</a>';
+			echo '<a href="' . esc_url( get_comment_link( $comment ) ) . '">' . esc_html( $submitted ) . '</a>';
 		} else {
-			echo $submitted;
+			echo esc_attr( $submitted );
 		}
 		?>
 	</td>