diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index d96c5e754c..f1c3243727 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -806,7 +806,7 @@ function is_blog_installed() {
 }
 
 function wp_nonce_url($actionurl, $action = -1) {
-	return add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl);
+	return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl));
 }
 
 function wp_nonce_field($action = -1) {