diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index 4bc5c2486c..fba653c0b4 100644
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -793,7 +793,7 @@ function comments_template( $file = '/comments.php', $separate_comments = false
 	} else if ( empty($comment_author) ) {
 		$comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1' ORDER BY comment_date", $post->ID));
 	} else {
-		$comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND ( comment_approved = '1' OR ( comment_author = %s AND comment_author_email = %s AND comment_approved = '0' ) ) ORDER BY comment_date", $post->ID, $comment_author, $comment_author_email));
+		$comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND ( comment_approved = '1' OR ( comment_author = %s AND comment_author_email = %s AND comment_approved = '0' ) ) ORDER BY comment_date", $post->ID, htmlspecialchars_decode($comment_author, ENT_QUOTES), $comment_author_email));
 	}
 
 	// keep $comments for legacy's sake