Comments: Escape comment author's email in the Edit Comment form.

Technically, this is redundant, as the `comment_author`, `comment_author_email`, and `comment_author_url` fields are already escaped via `get_comment_to_edit()` before the form is displayed. However, this brings some consistency with the `comment_author` and `comment_author_url` fields being escaped in the same form. Follow-up to [11721]. Props utsav72640. Fixes #53349. git-svn-id: https://develop.svn.wordpress.org/trunk@51080 602fd350-edb4-49c9-b593-d223f7449a82
2025-04-07 13:43:25 +02:00 · 2021-06-07 18:45:56 +00:00 · 2021-06-07 18:45:56 +00:00 · bcefcefb58
commit bcefcefb58
parent 37a4faa7ed
1 changed files with 1 additions and 1 deletions
--- a/src/wp-admin/edit-form-comment.php
+++ b/src/wp-admin/edit-form-comment.php
@ -52,7 +52,7 @@ if ( 'approved' === wp_get_comment_status( $comment ) && $comment->comment_post_
 <tr>
 	<td class="first"><label for="email"><?php _e( 'Email' ); ?></label></td>
 	<td>
-		<input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email; ?>" id="email" />
+		<input type="text" name="newcomment_author_email" size="30" value="<?php echo esc_attr( $comment->comment_author_email ); ?>" id="email" />
 	</td>
 </tr>
 <tr>