From 9b3e2b76b41bf5b5db5e85395174633a9188d5f0 Mon Sep 17 00:00:00 2001
From: Andrew Ozz <admin@laptoptips.ca>
Date: Tue, 15 May 2018 14:08:29 +0000
Subject: [PATCH] Privacy: Escape comment URLs in personal export file to
 prevent XSS.

There doesn't appear to be any way for an attacker to introduce malicious input into the URL, unless a plugin is filtering the URL to add it, but it's better to be safe than sorry.

Props birgire.
Merges [43245] to the 4.9 branch.
Fixes #44054.
Built from https://develop.svn.wordpress.org/branches/4.9@43270


git-svn-id: http://core.svn.wordpress.org/branches/4.9@43099 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/comment.php | 6 +++++-
 wp-includes/version.php | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/wp-includes/comment.php b/wp-includes/comment.php
index 7b7d713a8e..6c0a5d571f 100644
--- a/wp-includes/comment.php
+++ b/wp-includes/comment.php
@@ -3237,7 +3237,11 @@ function wp_comments_personal_data_exporter( $email_address, $page = 1 ) {
 
 				case 'comment_link':
 					$value = get_comment_link( $comment->comment_ID );
-					$value = '<a href="' . $value . '" target="_blank" rel="noreferrer noopener">' . $value . '</a>';
+					$value = sprintf(
+						'<a href="%s" target="_blank" rel="noreferrer noopener">%s</a>',
+						esc_url( $value ),
+						esc_html( $value )
+					);
 					break;
 			}
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index c41bd99593..70dcbeccb5 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.9.6-RC1-43268';
+$wp_version = '4.9.6-RC1-43270';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.