From fa0ba20b37c04dec2807cd69cce9330e30e7c7f3 Mon Sep 17 00:00:00 2001
From: Jeremy Herve <jeremy@tagada.hu>
Date: Sat, 8 Nov 2014 15:57:26 +0000
Subject: [PATCH 1/2] Related Posts: decode ellipsis at the end of a long
 excerpt

Reported here:
https://wordpress.org/support/topic/related-posts-hellip-typo-on-hover?replies=3
---
 modules/related-posts/jetpack-related-posts.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/related-posts/jetpack-related-posts.php b/modules/related-posts/jetpack-related-posts.php
index d0add8cbde37..228655d4fe13 100644
--- a/modules/related-posts/jetpack-related-posts.php
+++ b/modules/related-posts/jetpack-related-posts.php
@@ -661,7 +661,7 @@ protected function _get_related_post_data_for_post( $post_id, $position, $origin
 			'title' => $this->_to_utf8( $this->_get_title( $post->post_title, $post->post_content ) ),
 			'date' => get_the_date( '', $post->ID ),
 			'format' => get_post_format( $post->ID ),
-			'excerpt' => $this->_to_utf8( $this->_get_excerpt( $post->post_excerpt, $post->post_content ) ),
+			'excerpt' => html_entity_decode( $this->_to_utf8( $this->_get_excerpt( $post->post_excerpt, $post->post_content ) ), ENT_QUOTES, 'UTF-8' ),
 			'context' => apply_filters(
 				'jetpack_relatedposts_filter_post_context',
 				$this->_to_utf8( $this->_generate_related_post_context( $post->ID ) ),

From 90bd54f924b63a9c30f5a252ab7db26588611c1a Mon Sep 17 00:00:00 2001
From: Xiao Yu <me@xyu.io>
Date: Thu, 21 May 2015 19:14:43 +0000
Subject: [PATCH 2/2] Related Posts: Make sure we escape the excerpt

fa0ba20 started calling `html_entity_decode()` on the excerpt so we should
escape it when outputing to avoid potential XSS.
---
 modules/related-posts/related-posts.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/related-posts/related-posts.js b/modules/related-posts/related-posts.js
index f44664593008..467e0107a27e 100644
--- a/modules/related-posts/related-posts.js
+++ b/modules/related-posts/related-posts.js
@@ -92,7 +92,7 @@
 					html += anchor[0] + '<img class="jp-relatedposts-post-img" src="' + post.img.src + '" width="' + post.img.width + '" alt="' + post.title + '" />' + anchor[1];
 				}
 				html += '<h4 class="jp-relatedposts-post-title">' + anchor[0] + post.title + anchor[1] + '</h4>';
-				html += '<p class="jp-relatedposts-post-excerpt">' + post.excerpt + '</p>';
+				html += '<p class="jp-relatedposts-post-excerpt">' + $( '<p>' ).text( post.excerpt ).html() + '</p>';
 				html += '<p class="jp-relatedposts-post-date">' + post.date + '</p>';
 				html += '<p class="jp-relatedposts-post-context">' + post.context + '</p>';
 				html += '</div>';