From 3713ac5ebc90fb2011e98dfd691420f43da6c09a Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Wed, 29 Nov 2017 15:55:47 +0000
Subject: [PATCH] Hardening: Add escaping to the language attributes used on
 `html` elements.

Built from https://develop.svn.wordpress.org/trunk@42259


git-svn-id: http://core.svn.wordpress.org/trunk@42088 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/general-template.php | 12 +++++++-----
 wp-includes/version.php          |  2 +-
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php
index 55db605882..c579668615 100644
--- a/wp-includes/general-template.php
+++ b/wp-includes/general-template.php
@@ -3568,12 +3568,14 @@ function get_language_attributes( $doctype = 'html' ) {
 	if ( function_exists( 'is_rtl' ) && is_rtl() )
 		$attributes[] = 'dir="rtl"';
 
-	if ( $lang = get_bloginfo('language') ) {
-		if ( get_option('html_type') == 'text/html' || $doctype == 'html' )
-			$attributes[] = "lang=\"$lang\"";
+	if ( $lang = get_bloginfo( 'language' ) ) {
+		if ( get_option( 'html_type' ) == 'text/html' || $doctype == 'html' ) {
+			$attributes[] = 'lang="' . esc_attr( $lang ) . '"';
+		}
 
-		if ( get_option('html_type') != 'text/html' || $doctype == 'xhtml' )
-			$attributes[] = "xml:lang=\"$lang\"";
+		if ( get_option( 'html_type' ) != 'text/html' || $doctype == 'xhtml' ) {
+			$attributes[] = 'xml:lang="' . esc_attr( $lang ) . '"';
+		}
 	}
 
 	$output = implode(' ', $attributes);
diff --git a/wp-includes/version.php b/wp-includes/version.php
index f5f8415d41..3869234559 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.0-alpha-42258';
+$wp_version = '5.0-alpha-42259';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.