Wordpress 2.8.2

[autoinstalls/wordpress.git] / wp-includes / comment-template.php

diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index 2b6b60ac9744b9a99dd64af4de5df67fd03b8846..e87801b6d6a9e2c2ddfd3015f1cf7560d3c88949 100644 (file)
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -194,6 +194,7 @@ function comment_author_IP() {
 function get_comment_author_url() {
        global $comment;
        $url = ('http://' == $comment->comment_author_url) ? '' : $comment->comment_author_url;
+       $url = esc_url( $url, array('http', 'https') );
        return apply_filters('get_comment_author_url', $url);
 }
 
@@ -817,8 +818,28 @@ function comments_template( $file = '/comments.php', $separate_comments = false
                $file = '/comments.php';
 
        $req = get_option('require_name_email');
+
+       /**
+        * Comment author information fetched from the comment cookies.
+        *
+        * @uses wp_get_current_commenter()
+        */
        $commenter = wp_get_current_commenter();
-       extract($commenter, EXTR_SKIP);
+
+       /**
+        * The name of the current comment author escaped for use in attributes.
+        */
+       $comment_author = $commenter['comment_author']; // Escaped by sanitize_comment_cookies()
+
+       /**
+        * The email address of the current comment author escaped for use in attributes.
+        */     
+       $comment_author_email = $commenter['comment_author_email'];  // Escaped by sanitize_comment_cookies()
+
+       /**
+        * The url of the current comment author escaped for use in attributes.
+        */     
+       $comment_author_url = esc_url($commenter['comment_author_url']);
 
        /** @todo Use API instead of SELECTs. */
        if ( $user_ID) {