From f6450ab8ce83e0c7f5e3bf62c7ebe7214f8ea130 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Thu, 28 Feb 2013 18:58:52 +0000
Subject: [PATCH] esc_url() when printing a URL into an attribute, even when it
 is known to be safe. (see #17562)

git-svn-id: https://develop.svn.wordpress.org/trunk@23528 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/author-template.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wp-includes/author-template.php b/wp-includes/author-template.php
index 1b6a948dc5..8eba19a43d 100644
--- a/wp-includes/author-template.php
+++ b/wp-includes/author-template.php
@@ -134,7 +134,7 @@ function the_author_meta($field = '', $user_id = false) {
  */
 function get_the_author_link() {
 	if ( get_the_author_meta('url') ) {
-		return '<a href="' . get_the_author_meta('url') . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="author external">' . get_the_author() . '</a>';
+		return '<a href="' . esc_url( get_the_author_meta('url') ) . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="author external">' . get_the_author() . '</a>';
 	} else {
 		return get_the_author();
 	}
@@ -200,7 +200,7 @@ function the_author_posts_link($deprecated = '') {
 		return false;
 	$link = sprintf(
 		'<a href="%1$s" title="%2$s" rel="author">%3$s</a>',
-		get_author_posts_url( $authordata->ID, $authordata->user_nicename ),
+		esc_url( get_author_posts_url( $authordata->ID, $authordata->user_nicename ) ),
 		esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ),
 		get_the_author()
 	);