Description: Escape lang attribs
 CVE-2017-17093 - Add escaping to the language attributes used on html elements.
Author: johnbillion@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/42273/branches/4.7
Applied-Upstream: 4.9.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-12-09
--- a/wp-includes/general-template.php
+++ b/wp-includes/general-template.php
@@ -3118,12 +3118,14 @@
 	if ( function_exists( 'is_rtl' ) && is_rtl() )
 		$attributes[] = 'dir="rtl"';
 
-	if ( $lang = get_bloginfo('language') ) {
-		if ( get_option('html_type') == 'text/html' || $doctype == 'html' )
-			$attributes[] = "lang=\"$lang\"";
+	if ( $lang = get_bloginfo( 'language' ) ) {
+		if ( get_option( 'html_type' ) == 'text/html' || $doctype == 'html' ) {
+			$attributes[] = 'lang="' . esc_attr( $lang ) . '"';
+		}
 
-		if ( get_option('html_type') != 'text/html' || $doctype == 'xhtml' )
-			$attributes[] = "xml:lang=\"$lang\"";
+		if ( get_option( 'html_type' ) != 'text/html' || $doctype == 'xhtml' ) {
+			$attributes[] = 'xml:lang="' . esc_attr( $lang ) . '"';
+		}
 	}
 
 	$output = implode(' ', $attributes);
