From 1466e9954b97981e1b4c8f33cd84ab84f8cf7640 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Mon, 20 Jul 2009 01:11:14 +0000
Subject: [PATCH] Escape , , and  for use in attributes by default since so
 many themes don't escape them. Use wp_get_current_commenter() to get the raw
 values.

git-svn-id: http://svn.automattic.com/wordpress/trunk@11722 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/comment-template.php | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index c3858465c5..2cc31859a9 100644
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -818,8 +818,31 @@ function comments_template( $file = '/comments.php', $separate_comments = false
 		$file = '/comments.php';
 
 	$req = get_option('require_name_email');
+
+	/**
+	 * Raw comment author information fetched from the comment cookies.
+	 *
+	 * @uses wp_get_current_commenter()
+	 */
 	$commenter = wp_get_current_commenter();
-	extract($commenter, EXTR_SKIP);
+
+	/**
+	 * The name of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */
+	$comment_author = esc_attr($commenter['comment_author']);
+
+	/**
+	 * The email address of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */	
+	$comment_author_email = esc_attr($commenter['comment_author_email']);
+
+	/**
+	 * The url of the current comment author escaped for use in attributes.  Use
+	 * wp_get_current_commenter() to get the raw value.
+	 */	
+	$comment_author_url = esc_url($commenter['comment_author_url']);
 
 	/** @todo Use API instead of SELECTs. */
 	if ( $user_ID) {