diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 8626b21630..94db102c51 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -2356,11 +2356,11 @@ function wp_rel_nofollow_callback( $matches ) {
 
 		$html = '';
 		foreach ( $atts as $name => $value ) {
-			$html .= "{$name}=\"$value\" ";
+			$html .= "{$name}=\"" . esc_attr( $value ) . "\" ";
 		}
 		$text = trim( $html );
 	}
-	return "<a $text rel=\"$rel\">";
+	return "<a $text rel=\"" . esc_attr( $rel ) . "\">";
 }
 
 /**