diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 44d378d345..e7f4f6bd56 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -2119,7 +2119,7 @@ function wp_ajax_heartbeat() {
 		$screen_id = 'front';
 
 	if ( ! empty($_POST['data']) ) {
-		$data = (array) $_POST['data'];
+		$data = wp_unslash( (array) $_POST['data'] );
 
 		/**
 		 * Filter the Heartbeat response received.
diff --git a/src/wp-admin/includes/post.php b/src/wp-admin/includes/post.php
index e67352128f..f6030b9840 100644
--- a/src/wp-admin/includes/post.php
+++ b/src/wp-admin/includes/post.php
@@ -1450,9 +1450,9 @@ function wp_autosave( $post_data ) {
 
 	if ( ! wp_check_post_lock( $post->ID ) && get_current_user_id() == $post->post_author && ( 'auto-draft' == $post->post_status || 'draft' == $post->post_status ) ) {
 		// Drafts and auto-drafts are just overwritten by autosave for the same user if the post is not locked
-		return edit_post( $post_data );
+		return edit_post( wp_slash( $post_data ) );
 	} else {
 		// Non drafts or other users drafts are not overwritten. The autosave is stored in a special post revision for each user.
-		return wp_create_post_autosave( $post_data );
+		return wp_create_post_autosave( wp_slash( $post_data ) );
 	}
 }