X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/9c40b4d36daed9e28e48a5fe9205c32557195a4b..4f4e083f6f77639c41e2b1ddb200de8e34301cee:/wp-includes/comment-template.php

diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index 2b6b60ac..e87801b6 100644
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -194,6 +194,7 @@ function comment_author_IP() {
 function get_comment_author_url() {
 	global $comment;
 	$url = ('http://' == $comment->comment_author_url) ? '' : $comment->comment_author_url;
+	$url = esc_url( $url, array('http', 'https') );
 	return apply_filters('get_comment_author_url', $url);
 }
 
@@ -817,8 +818,28 @@ function comments_template( $file = '/comments.php', $separate_comments = false
 		$file = '/comments.php';
 
 	$req = get_option('require_name_email');
+
+	/**
+	 * Comment author information fetched from the comment cookies.
+	 *
+	 * @uses wp_get_current_commenter()
+	 */
 	$commenter = wp_get_current_commenter();
-	extract($commenter, EXTR_SKIP);
+
+	/**
+	 * The name of the current comment author escaped for use in attributes.
+	 */
+	$comment_author = $commenter['comment_author']; // Escaped by sanitize_comment_cookies()
+
+	/**
+	 * The email address of the current comment author escaped for use in attributes.
+	 */	
+	$comment_author_email = $commenter['comment_author_email'];  // Escaped by sanitize_comment_cookies()
+
+	/**
+	 * The url of the current comment author escaped for use in attributes.
+	 */	
+	$comment_author_url = esc_url($commenter['comment_author_url']);
 
 	/** @todo Use API instead of SELECTs. */
 	if ( $user_ID) {