Comments editor HTML tag

[pkirk]

With a vanilla (2.8.4 -> 3.0) installation, if you go and edit the comment from Mr Wordpress, you will see that in the editor you can find the HTML code of the apostrophe for "post's".

Hi, this is a comment.<br />To delete a comment, just log in and view the post&#039;s comments. There you will have the option to edit or delete them.

The problem comes with a production env with European languages where comments are full of accented letters that make the reading almost impossible.

This would be a case for using esc_html() instead of esc_textarea(). See #15454

... because esc_html() doesn't escape special characters.

Force esc_html() escaping

Turns out the content is escaped twice: first in get_comment_to_edit() and then again in wp_htmledit_pre().

In ​esc_html_comment_form.php I had to use $wpdb directly because the cached version returned from get_comment() is the escaped one. This should definitely be fixed.

Actually, the problem is that get_comment() checks $GLOBALScomment?.

No easy fix for this, unfortunately. Punting.

What we should actually do is remove the entity from upgrade.php, and let texturize do the work. Otherwise, what's happening when editing the comment appears to be proper, as this *is* what's in the DB.

In 37888:

Comments: Improve author and content of the default comment.

The new comment:

A WordPress Commenter <wapuu@wordpress.example>:

Hi, this is a comment.
To moderate comments, just log in. There you will have the option to edit or delete them.
Commenter avatars come from <a href="https://gravatar.com">Gravatar</a>.

Also introduces a network setting to set the email address of the first comment author on a new site.

Props Ipstenu, rachelbaker, jorbin, jeremyfelt.
Fixes #36702, #14268.