Comments: Escape comment author's email in the Edit Comment form.

Technically, this is redundant, as the `comment_author`, `comment_author_email`, and `comment_author_url` fields are already escaped via `get_comment_to_edit()` before the form is displayed. However, this brings some consistency with the `comment_author` and `comment_author_url` fields being escaped in the same form. Follow-up to [11721]. Props utsav72640. Fixes #53349. Built from https://develop.svn.wordpress.org/trunk@51080 git-svn-id: http://core.svn.wordpress.org/trunk@50689 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2021-06-07 18:47:02 +00:00
parent 3642c401b6
commit aeebd14fe2
2 changed files with 2 additions and 2 deletions
--- a/wp-admin/edit-form-comment.php
+++ b/wp-admin/edit-form-comment.php
@@ -52,7 +52,7 @@ if ( 'approved' === wp_get_comment_status( $comment ) && $comment->comment_post_
 <tr>
 	<td class="first"><label for="email"><?php _e( 'Email' ); ?></label></td>
 	<td>
-		<input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email; ?>" id="email" />
+		<input type="text" name="newcomment_author_email" size="30" value="<?php echo esc_attr( $comment->comment_author_email ); ?>" id="email" />
 	</td>
 </tr>
 <tr>