From 3213c4ca46475d025c209a575eb7995d9d9bd0c7 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Thu, 7 Mar 2013 05:30:00 +0000
Subject: [PATCH] Always escape the URL echoed by header_image(). fixes #23664.

git-svn-id: https://develop.svn.wordpress.org/trunk@23633 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/theme.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/wp-includes/theme.php b/wp-includes/theme.php
index 9f1de9c863..8b8f42c8fc 100644
--- a/wp-includes/theme.php
+++ b/wp-includes/theme.php
@@ -981,12 +981,12 @@ function is_random_header_image( $type = 'any' ) {
 }
 
 /**
- * Display header image path.
+ * Display header image URL.
  *
  * @since 2.1.0
  */
 function header_image() {
-	echo get_header_image();
+	echo esc_url( get_header_image() );
 }
 
 /**