From a692acecdfafd83f3a4a2d658d2298c8a5fdb459 Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Mon, 20 Jul 2009 01:11:14 +0000
Subject: [PATCH] Escape , , and  for use in attributes by default since so
 many themes don't escape them. Use wp_get_current_commenter() to get the raw
 values.

git-svn-id: https://develop.svn.wordpress.org/trunk@11722 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/comment-template.php | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index c3858465c5..2cc31859a9 100644
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -818,8 +818,31 @@ function comments_template( $file = '/comments.php', $separate_comments = false
 		$file = '/comments.php';
 
 	$req = get_option('require_name_email');
+
+	/**
+	 * Raw comment author information fetched from the comment cookies.
+	 *
+	 * @uses wp_get_current_commenter()
+	 */
 	$commenter = wp_get_current_commenter();
-	extract($commenter, EXTR_SKIP);
+
+	/**
+	 * The name of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */
+	$comment_author = esc_attr($commenter['comment_author']);
+
+	/**
+	 * The email address of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */	
+	$comment_author_email = esc_attr($commenter['comment_author_email']);
+
+	/**
+	 * The url of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */	
+	$comment_author_url = esc_url($commenter['comment_author_url']);
 
 	/** @todo Use API instead of SELECTs. */
 	if ( $user_ID) {