From 6843c0fa3c6351decac967dcdc86009167e799fa Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Sun, 21 Nov 2010 13:37:09 +0000
Subject: [PATCH] Escape the wrap ID and class attributes going into sprintf()
 and s/slug/wrap_id/ to make it more obvious. see #14235.

git-svn-id: https://develop.svn.wordpress.org/trunk@16520 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/nav-menu-template.php | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/wp-includes/nav-menu-template.php b/wp-includes/nav-menu-template.php
index afdc7fe9e6..fc3e33cdea 100644
--- a/wp-includes/nav-menu-template.php
+++ b/wp-includes/nav-menu-template.php
@@ -205,26 +205,26 @@ function wp_nav_menu( $args = array() ) {
 
 	// Attributes
 	if ( ! empty( $args->menu_id ) ) {
-		$slug = $args->menu_id;
+		$wrap_id = $args->menu_id;
 	} else {
-		$slug = 'menu-' . $menu->slug;
-		while ( in_array( $slug, $menu_id_slugs ) ) {
-			if ( preg_match( '#-(\d+)$#', $slug, $matches ) )
-				$slug = preg_replace('#-(\d+)$#', '-' . ++$matches[1], $slug);
+		$wrap_id = 'menu-' . $menu->slug;
+		while ( in_array( $wrap_id, $menu_id_slugs ) ) {
+			if ( preg_match( '#-(\d+)$#', $wrap_id, $matches ) )
+				$wrap_id = preg_replace('#-(\d+)$#', '-' . ++$matches[1], $wrap_id );
 			else
-				$slug = $slug . '-1';
+				$wrap_id = $wrap_id . '-1';
 		}
 	}
-	$menu_id_slugs[] = $slug;
-	
+	$menu_id_slugs[] = $wrap_id;
+
 	$wrap_class = $args->menu_class ? $args->menu_class : '';
 
 	// Allow plugins to hook into the menu to add their own <li>'s
 	$items = apply_filters( 'wp_nav_menu_items', $items, $args );
 	$items = apply_filters( "wp_nav_menu_{$menu->slug}_items", $items, $args );
-	
-	$nav_menu .= sprintf( $args->items_wrap, $slug, $wrap_class, $items );
-	unset($items);
+
+	$nav_menu .= sprintf( $args->items_wrap, esc_attr( $wrap_id ), esc_attr( $wrap_class ), $items );
+	unset( $items );
 
 	if ( $show_container )
 		$nav_menu .= '</' . $args->container . '>';