Add `esc_html` to get_comment_link

[1naveengiri]

At https://core.trac.wordpress.org/browser/branches/4.9/src/wp-admin/edit-form-comment.php#L27
get_comment_link( ) function getting used without esc_html( )

[1naveengiri]

Adding a patch for it

[iandunn]

Related ticket:44054#comment:2

In the future, please ​disclose any missing escape privately, via HackerOne, rather than publicly via Trac.

[joyously]

The patch is incorrect. It should be the output that is changed.

<span id="sample-permalink"><a href="<?php echo esc_url( $comment_link ); ?>"><?php echo esc_html( $comment_link ); ?></a></span>

[iandunn]

In 43290:

Comments: Escape permalink values on edit screen to prevent XSS.

There doesn't appear to be any way for an attacker to introduce malicious input into the URL, unless a plugin is filtering the URL to add it, but it's better to be safe than sorry.

Props 1naveengiri, joyously.
Fixes #44115.

[SergeyBiryukov]

In 43301:

Comments: Escape permalink values on edit screen to prevent XSS.

There doesn't appear to be any way for an attacker to introduce malicious input into the URL, unless a plugin is filtering the URL to add it, but it's better to be safe than sorry.

Props 1naveengiri, joyously.
Merges [43290] to the 4.9 branch.
Fixes #44115.

[desrosj]

Moving all tickets in 4.9.7 to 4.9.8.

[SergeyBiryukov]

Moving already backported tickets back to 4.9.7.