From 9a9278ca1aaf26d617c51b2dc83f9e7e5831954c Mon Sep 17 00:00:00 2001
From: Andrea Fercia <afercia@git.wordpress.org>
Date: Tue, 12 Jan 2016 08:57:41 +0000
Subject: [PATCH] After [36263] escape filterable HTML output.

Props adamsilverstein.
Fixes #35064.

git-svn-id: https://develop.svn.wordpress.org/trunk@36267 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/options-general.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/options-general.php b/src/wp-admin/options-general.php
index 5f18170ea8..11bda9545e 100644
--- a/src/wp-admin/options-general.php
+++ b/src/wp-admin/options-general.php
@@ -243,7 +243,7 @@ if ( empty($tzstring) ) { // Create a UTC+- zone if no timezone string exists
 			echo " checked='checked'";
 			$custom = false;
 		}
-		echo ' /> <span class="date-time-text format-i18n">' . date_i18n( $format ) . '</span><code>' . $format . "</code></label><br />\n";
+		echo ' /> <span class="date-time-text format-i18n">' . date_i18n( $format ) . '</span><code>' . esc_html( $format ) . "</code></label><br />\n";
 	}
 
 	echo '<label><input type="radio" name="date_format" id="date_format_custom_radio" value="\c\u\s\t\o\m"';
@@ -279,7 +279,7 @@ if ( empty($tzstring) ) { // Create a UTC+- zone if no timezone string exists
 			echo " checked='checked'";
 			$custom = false;
 		}
-		echo ' /> <span class="date-time-text format-i18n">' . date_i18n( $format ) . '</span><code>' . $format . "</code></label><br />\n";
+		echo ' /> <span class="date-time-text format-i18n">' . date_i18n( $format ) . '</span><code>' . esc_html( $format ) . "</code></label><br />\n";
 	}
 
 	echo '<label><input type="radio" name="time_format" id="time_format_custom_radio" value="\c\u\s\t\o\m"';