From f91a5fd10ea7245e5b41e288624819a37adf290a Mon Sep 17 00:00:00 2001
From: Nikolay Bachiyski <nb@nikolay.bg>
Date: Mon, 14 Sep 2015 22:40:23 +0000
Subject: [PATCH] List tables: escape user e-mails

Merges [34133] for 4.3 branch

Built from https://develop.svn.wordpress.org/branches/4.3@34137


git-svn-id: http://core.svn.wordpress.org/branches/4.3@34105 1a063a9b-81f0-0310-95a4-ce76da25c4cd

v2: Backport to Wordpress 3.6.1, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
---
 wp-admin/includes/class-wp-ms-users-list-table.php | 2 +-
 wp-admin/includes/class-wp-users-list-table.php    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/wp-admin/includes/class-wp-ms-users-list-table.php
+++ b/wp-admin/includes/class-wp-ms-users-list-table.php
@@ -201,7 +201,7 @@
 					break;
 
 					case 'email':
-						echo "<td $attributes><a href='mailto:$user->user_email'>$user->user_email</a></td>";
+						echo "<td $attributes><a href=" . esc_url("mailto:".$user->user_email) . "'>$user->user_email</a></td>";
 					break;
 
 					case 'registered':
--- a/wp-admin/includes/class-wp-users-list-table.php
+++ b/wp-admin/includes/class-wp-users-list-table.php
@@ -294,7 +294,7 @@
 					$r .= "<td $attributes>$user_object->first_name $user_object->last_name</td>";
 					break;
 				case 'email':
-					$r .= "<td $attributes><a href='mailto:$email' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
+					$r .= "<td $attributes><a href='" . esc_url("mailto:$email") . "' title='" . esc_attr( sprintf( __( 'E-mail: %s' ), $email ) ) . "'>$email</a></td>";
 					break;
 				case 'role':
 					$r .= "<td $attributes>$role_name</td>";
