diff --git a/wp-admin/includes/class-wp-comments-list-table.php b/wp-admin/includes/class-wp-comments-list-table.php
index 9b46512c24..e7707daba9 100644
--- a/wp-admin/includes/class-wp-comments-list-table.php
+++ b/wp-admin/includes/class-wp-comments-list-table.php
@@ -705,18 +705,18 @@ class WP_Comments_List_Table extends WP_List_Table {
$output = '';
- $del_nonce = esc_html( '_wpnonce=' . wp_create_nonce( "delete-comment_$comment->comment_ID" ) );
- $approve_nonce = esc_html( '_wpnonce=' . wp_create_nonce( "approve-comment_$comment->comment_ID" ) );
+ $approve_nonce = esc_html( '_wpnonce=' . wp_create_nonce( 'approve-comment_' . $comment->comment_ID ) );
+ $del_nonce = esc_html( '_wpnonce=' . wp_create_nonce( 'delete-comment_' . $comment->comment_ID ) );
- $url = "comment.php?c=$comment->comment_ID";
+ $action_string = 'comment.php?action=%s&c=' . $comment->comment_ID . '&%s';
- $approve_url = esc_url( $url . "&action=approvecomment&$approve_nonce" );
- $unapprove_url = esc_url( $url . "&action=unapprovecomment&$approve_nonce" );
- $spam_url = esc_url( $url . "&action=spamcomment&$del_nonce" );
- $unspam_url = esc_url( $url . "&action=unspamcomment&$del_nonce" );
- $trash_url = esc_url( $url . "&action=trashcomment&$del_nonce" );
- $untrash_url = esc_url( $url . "&action=untrashcomment&$del_nonce" );
- $delete_url = esc_url( $url . "&action=deletecomment&$del_nonce" );
+ $approve_url = sprintf( $action_string, 'approvecomment', $approve_nonce );
+ $unapprove_url = sprintf( $action_string, 'unapprovecomment', $approve_nonce );
+ $spam_url = sprintf( $action_string, 'spamcomment', $del_nonce );
+ $unspam_url = sprintf( $action_string, 'unspamcomment', $del_nonce );
+ $trash_url = sprintf( $action_string, 'trashcomment', $del_nonce );
+ $untrash_url = sprintf( $action_string, 'untrashcomment', $del_nonce );
+ $delete_url = sprintf( $action_string, 'deletecomment', $del_nonce );
// Preorder it: Approve | Reply | Quick Edit | Edit | Spam | Trash.
$actions = array(
@@ -737,7 +737,7 @@ class WP_Comments_List_Table extends WP_List_Table {
if ( 'approved' === $the_comment_status ) {
$actions['unapprove'] = sprintf(
'%s',
- $unapprove_url,
+ esc_url( $unapprove_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}:e7e7d3:action=dim-comment&new=unapproved",
esc_attr__( 'Unapprove this comment' ),
__( 'Unapprove' )
@@ -745,7 +745,7 @@ class WP_Comments_List_Table extends WP_List_Table {
} elseif ( 'unapproved' === $the_comment_status ) {
$actions['approve'] = sprintf(
'%s',
- $approve_url,
+ esc_url( $approve_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}:e7e7d3:action=dim-comment&new=approved",
esc_attr__( 'Approve this comment' ),
__( 'Approve' )
@@ -754,7 +754,7 @@ class WP_Comments_List_Table extends WP_List_Table {
} else {
$actions['approve'] = sprintf(
'%s',
- $approve_url,
+ esc_url( $approve_url ),
"dim:the-comment-list:comment-{$comment->comment_ID}:unapproved:e7e7d3:e7e7d3:new=approved",
esc_attr__( 'Approve this comment' ),
__( 'Approve' )
@@ -762,7 +762,7 @@ class WP_Comments_List_Table extends WP_List_Table {
$actions['unapprove'] = sprintf(
'%s',
- $unapprove_url,
+ esc_url( $unapprove_url ),
"dim:the-comment-list:comment-{$comment->comment_ID}:unapproved:e7e7d3:e7e7d3:new=unapproved",
esc_attr__( 'Unapprove this comment' ),
__( 'Unapprove' )
@@ -772,7 +772,7 @@ class WP_Comments_List_Table extends WP_List_Table {
if ( 'spam' !== $the_comment_status ) {
$actions['spam'] = sprintf(
'%s',
- $spam_url,
+ esc_url( $spam_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}::spam=1",
esc_attr__( 'Mark this comment as spam' ),
/* translators: "Mark as spam" link. */
@@ -781,7 +781,7 @@ class WP_Comments_List_Table extends WP_List_Table {
} elseif ( 'spam' === $the_comment_status ) {
$actions['unspam'] = sprintf(
'%s',
- $unspam_url,
+ esc_url( $unspam_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}:66cc66:unspam=1",
esc_attr__( 'Restore this comment from the spam' ),
_x( 'Not Spam', 'comment' )
@@ -791,7 +791,7 @@ class WP_Comments_List_Table extends WP_List_Table {
if ( 'trash' === $the_comment_status ) {
$actions['untrash'] = sprintf(
'%s',
- $untrash_url,
+ esc_url( $untrash_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}:66cc66:untrash=1",
esc_attr__( 'Restore this comment from the Trash' ),
__( 'Restore' )
@@ -801,7 +801,7 @@ class WP_Comments_List_Table extends WP_List_Table {
if ( 'spam' === $the_comment_status || 'trash' === $the_comment_status || ! EMPTY_TRASH_DAYS ) {
$actions['delete'] = sprintf(
'%s',
- $delete_url,
+ esc_url( $delete_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}::delete=1",
esc_attr__( 'Delete this comment permanently' ),
__( 'Delete Permanently' )
@@ -809,7 +809,7 @@ class WP_Comments_List_Table extends WP_List_Table {
} else {
$actions['trash'] = sprintf(
'%s',
- $trash_url,
+ esc_url( $trash_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}::trash=1",
esc_attr__( 'Move this comment to the Trash' ),
_x( 'Trash', 'verb' )
diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php
index 84514015e2..be1ac4224c 100644
--- a/wp-admin/includes/dashboard.php
+++ b/wp-admin/includes/dashboard.php
@@ -726,18 +726,20 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
'view' => '',
);
- $del_nonce = esc_html( '_wpnonce=' . wp_create_nonce( "delete-comment_$comment->comment_ID" ) );
- $approve_nonce = esc_html( '_wpnonce=' . wp_create_nonce( "approve-comment_$comment->comment_ID" ) );
+ $approve_nonce = esc_html( '_wpnonce=' . wp_create_nonce( 'approve-comment_' . $comment->comment_ID ) );
+ $del_nonce = esc_html( '_wpnonce=' . wp_create_nonce( 'delete-comment_' . $comment->comment_ID ) );
- $approve_url = esc_url( "comment.php?action=approvecomment&p=$comment->comment_post_ID&c=$comment->comment_ID&$approve_nonce" );
- $unapprove_url = esc_url( "comment.php?action=unapprovecomment&p=$comment->comment_post_ID&c=$comment->comment_ID&$approve_nonce" );
- $spam_url = esc_url( "comment.php?action=spamcomment&p=$comment->comment_post_ID&c=$comment->comment_ID&$del_nonce" );
- $trash_url = esc_url( "comment.php?action=trashcomment&p=$comment->comment_post_ID&c=$comment->comment_ID&$del_nonce" );
- $delete_url = esc_url( "comment.php?action=deletecomment&p=$comment->comment_post_ID&c=$comment->comment_ID&$del_nonce" );
+ $action_string = 'comment.php?action=%s&p=' . $comment->comment_post_ID . '&c=' . $comment->comment_ID . '&%s';
+
+ $approve_url = sprintf( $action_string, 'approvecomment', $approve_nonce );
+ $unapprove_url = sprintf( $action_string, 'unapprovecomment', $approve_nonce );
+ $spam_url = sprintf( $action_string, 'spamcomment', $del_nonce );
+ $trash_url = sprintf( $action_string, 'trashcomment', $del_nonce );
+ $delete_url = sprintf( $action_string, 'deletecomment', $del_nonce );
$actions['approve'] = sprintf(
'%s',
- $approve_url,
+ esc_url( $approve_url ),
"dim:the-comment-list:comment-{$comment->comment_ID}:unapproved:e7e7d3:e7e7d3:new=approved",
esc_attr__( 'Approve this comment' ),
__( 'Approve' )
@@ -745,7 +747,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
$actions['unapprove'] = sprintf(
'%s',
- $unapprove_url,
+ esc_url( $unapprove_url ),
"dim:the-comment-list:comment-{$comment->comment_ID}:unapproved:e7e7d3:e7e7d3:new=unapproved",
esc_attr__( 'Unapprove this comment' ),
__( 'Unapprove' )
@@ -768,7 +770,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
$actions['spam'] = sprintf(
'%s',
- $spam_url,
+ esc_url( $spam_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}::spam=1",
esc_attr__( 'Mark this comment as spam' ),
/* translators: "Mark as spam" link. */
@@ -778,7 +780,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
if ( ! EMPTY_TRASH_DAYS ) {
$actions['delete'] = sprintf(
'%s',
- $delete_url,
+ esc_url( $delete_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}::trash=1",
esc_attr__( 'Delete this comment permanently' ),
__( 'Delete Permanently' )
@@ -786,7 +788,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
} else {
$actions['trash'] = sprintf(
'%s',
- $trash_url,
+ esc_url( $trash_url ),
"delete:the-comment-list:comment-{$comment->comment_ID}::trash=1",
esc_attr__( 'Move this comment to the Trash' ),
_x( 'Trash', 'verb' )
diff --git a/wp-includes/version.php b/wp-includes/version.php
index cf357efb04..37721756aa 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
-$wp_version = '6.7-alpha-58887';
+$wp_version = '6.7-alpha-58888';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.