Description: Escape email addresses
Author: nbachiyski@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/34137
Bug-Debian: https://bugs.debian.org/799140
Applied-Upstream: 4.3.1
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2015-09-19
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-admin/includes/class-wp-ms-users-list-table.php
+++ b/wp-admin/includes/class-wp-ms-users-list-table.php
@@ -201,7 +201,7 @@
 					break;
 
 					case 'email':
-						echo "<td $attributes><a href='mailto:$user->user_email'>$user->user_email</a></td>";
+                        echo "<td $attributes><a href='" . esc_url( "mailto:$user->user_email" ) . "'>$user->user_email</a></td>";
 					break;
 
 					case 'registered':
--- a/wp-admin/includes/class-wp-users-list-table.php
+++ b/wp-admin/includes/class-wp-users-list-table.php
@@ -294,7 +294,7 @@
 					$r .= "<td $attributes>$user_object->first_name $user_object->last_name</td>";
 					break;
 				case 'email':
-					$r .= "<td $attributes><a href='mailto:$email' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
+                    $r .= "<td $attributes><a href='" . esc_url( "mailto:$email" ) . "' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
 					break;
 				case 'role':
 					$r .= "<td $attributes>$role_name</td>";
