Escape urls in the Epherma widget. see #17198.

git-svn-id: http://svn.automattic.com/wordpress/trunk@17759 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-content/themes/twentyeleven/inc/widgets.php

@@ -85,7 +85,7 @@ class Twenty_Eleven_Ephemera_Widget extends WP_Widget {
 			<?php if ( 'link' != get_post_format() ) : ?>
 
 			<li class="widget-entry-title">
-				<a href="<?php the_permalink(); ?>" title="<?php printf( esc_attr__( 'Permalink to %s', 'twentyeleven' ), the_title_attribute( 'echo=0' ) ); ?>" rel="bookmark"><?php the_title(); ?></a>
+				<a href="<?php echo esc_url( get_permalink() ); ?>" title="<?php printf( esc_attr__( 'Permalink to %s', 'twentyeleven' ), the_title_attribute( 'echo=0' ) ); ?>" rel="bookmark"><?php the_title(); ?></a>
 				<span class="comments-link">
 					<?php comments_popup_link( __( '0 <span class="reply">comments &rarr;</span>', 'twentyeleven' ), __( '1 <span class="reply">comment &rarr;</span>', 'twentyeleven' ), __( '% <span class="reply">comments &rarr;</span>', 'twentyeleven' ) ); ?>
 				</span>
@@ -100,7 +100,7 @@ class Twenty_Eleven_Ephemera_Widget extends WP_Widget {
 					if ( false != twentyeleven_url_grabber() )
 						$link_url = twentyeleven_url_grabber();
 				?>
-				<a href="<?php echo $link_url; ?>" title="<?php printf( esc_attr__( 'Link to %s', 'twentyeleven' ), the_title_attribute( 'echo=0' ) ); ?>" rel="bookmark"><?php the_title(); ?>&nbsp;<span>&rarr;</span></a>
+				<a href="<?php echo esc_url( $link_url ); ?>" title="<?php printf( esc_attr__( 'Link to %s', 'twentyeleven' ), the_title_attribute( 'echo=0' ) ); ?>" rel="bookmark"><?php the_title(); ?>&nbsp;<span>&rarr;</span></a>
 				<span class="comments-link">
 					<?php comments_popup_link( __( '0 <span class="reply">comments &rarr;</span>', 'twentyeleven' ), __( '1 <span class="reply">comment &rarr;</span>', 'twentyeleven' ), __( '% <span class="reply">comments &rarr;</span>', 'twentyeleven' ) ); ?>
 				</span>