Description: Admin: Escape attachment name in case it contains special characters
Author: nbachiyski
Origin: upstream, https://core.trac.wordpress.org/changeset/37790/
Applied-Upstream: 4.1.12
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2016-06-26
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@@ -1506,7 +1506,7 @@
 	 * @param bool        $icon      Whether to include an icon. Default false.
 	 * @param string|bool $text      If string, will be link text. Default false.
 	 */
-	return apply_filters( 'wp_get_attachment_link', "<a href='$url'>$link_text</a>", $id, $size, $permalink, $icon, $text );
+	return apply_filters( 'wp_get_attachment_link', "<a href='" . esc_url( $url ) . "'>$link_text</a>", $id, $size, $permalink, $icon, $text );
 }
 
 /**
