From 1f0cd2b05470b29fcaf844eddcfec4a2ac19ae19 Mon Sep 17 00:00:00 2001
From: markjaquith <markjaquith@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Fri, 15 Jun 2012 17:02:39 +0000
Subject: [PATCH] Always escape the output of get_pagenum_link(). fixes #14556
 for the 3.3 branch.

git-svn-id: http://core.svn.wordpress.org/branches/3.3@21084 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/link-template.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php
index 7c5f51195f..3931d69cf7 100644
--- a/wp-includes/link-template.php
+++ b/wp-includes/link-template.php
@@ -1375,9 +1375,11 @@ function adjacent_post_link($format, $link, $in_same_cat = false, $excluded_cate
  * @since 1.5.0
  *
  * @param int $pagenum Optional. Page ID.
+ * @param bool $escape Optional. Whether to escape the URL for display, with esc_url(). Defaults to true.
+* 	Otherwise, prepares the URL with esc_url_raw().
  * @return string
  */
-function get_pagenum_link($pagenum = 1) {
+function get_pagenum_link($pagenum = 1, $escape = true ) {
 	global $wp_rewrite;
 
 	$pagenum = (int) $pagenum;
@@ -1428,7 +1430,10 @@ function get_pagenum_link($pagenum = 1) {
 
 	$result = apply_filters('get_pagenum_link', $result);
 
-	return $result;
+	if ( $escape )
+		return esc_url( $result );
+	else
+		return esc_url_raw( $result );
 }
 
 /**