From bcefcefb58ca179805f85809a4a64b5cfcf2e5d9 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Mon, 7 Jun 2021 18:45:56 +0000
Subject: [PATCH] Comments: Escape comment author's email in the Edit Comment
 form.

Technically, this is redundant, as the `comment_author`, `comment_author_email`, and `comment_author_url` fields are already escaped via `get_comment_to_edit()` before the form is displayed.

However, this brings some consistency with the `comment_author` and `comment_author_url` fields being escaped in the same form.

Follow-up to [11721].

Props utsav72640.
Fixes #53349.

git-svn-id: https://develop.svn.wordpress.org/trunk@51080 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/edit-form-comment.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-admin/edit-form-comment.php b/src/wp-admin/edit-form-comment.php
index ef0818c510..654046c3d9 100644
--- a/src/wp-admin/edit-form-comment.php
+++ b/src/wp-admin/edit-form-comment.php
@@ -52,7 +52,7 @@ if ( 'approved' === wp_get_comment_status( $comment ) && $comment->comment_post_
 <tr>
 	<td class="first"><label for="email"><?php _e( 'Email' ); ?></label></td>
 	<td>
-		<input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email; ?>" id="email" />
+		<input type="text" name="newcomment_author_email" size="30" value="<?php echo esc_attr( $comment->comment_author_email ); ?>" id="email" />
 	</td>
 </tr>
 <tr>