Description: Cross-Site Scripting (XSS) in posts list table
 Posts, Post Types: When using Excerpt mode on the Posts list table, ensure
 the excerpt output matches what was manually entered into the Excerpt field.
 Merges changeset 39956 to the 4.1 branch.
Author: johnbillion@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/39985
Bug-Debian: https://bugs.debian.org/852767
Applied-Upstream: 4.7.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-01-27
--- a/wp-admin/includes/class-wp-posts-list-table.php
+++ b/wp-admin/includes/class-wp-posts-list-table.php
@@ -691,8 +691,9 @@
 					echo '<div class="locked-info"><span class="locked-avatar">' . $locked_avatar . '</span> <span class="locked-text">' . $locked_text . "</span></div>\n";
 				}
 
-				if ( ! $this->hierarchical_display && 'excerpt' == $mode && current_user_can( 'read_post', $post->ID ) )
-						the_excerpt();
+				if ( ! $this->hierarchical_display && 'excerpt' == $mode && current_user_can( 'read_post', $post->ID ) ) {
+						echo esc_html( get_the_excerpt() );
+				}
 
 				$actions = array();
 				if ( $can_edit_post && 'trash' != $post->post_status ) {
