Escape , , and for use in attributes by default since so many themes don't escape them. Use wp_get_current_commenter() to get the raw values.

git-svn-id: https://develop.svn.wordpress.org/trunk@11722 602fd350-edb4-49c9-b593-d223f7449a82

wp-includes/comment-template.php

@@ -818,8 +818,31 @@ function comments_template( $file = '/comments.php', $separate_comments = false
 		$file = '/comments.php';
 
 	$req = get_option('require_name_email');
+
+	/**
+	 * Raw comment author information fetched from the comment cookies.
+	 *
+	 * @uses wp_get_current_commenter()
+	 */
 	$commenter = wp_get_current_commenter();
-	extract($commenter, EXTR_SKIP);
+
+	/**
+	 * The name of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */
+	$comment_author = esc_attr($commenter['comment_author']);
+
+	/**
+	 * The email address of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */	
+	$comment_author_email = esc_attr($commenter['comment_author_email']);
+
+	/**
+	 * The url of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */	
+	$comment_author_url = esc_url($commenter['comment_author_url']);
 
 	/** @todo Use API instead of SELECTs. */
 	if ( $user_ID) {