From e814f49f74016fe44f9bda2f44077999f5337194 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Wed, 26 Jul 2017 13:21:37 +0000
Subject: [PATCH] Users: Use `esc_url()` instead of `esc_attr()` to escape the
 value of the `srcset` attribute in `get_avatar()`.

Props joemcgill, henry.wright.
Fixes #41215.

git-svn-id: https://develop.svn.wordpress.org/trunk@41156 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/pluggable.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index b8bed355fc..4a4776b264 100644
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@@ -2535,7 +2535,7 @@ function get_avatar( $id_or_email, $size = 96, $default = '', $alt = '', $args =
 		"<img alt='%s' src='%s' srcset='%s' class='%s' height='%d' width='%d' %s/>",
 		esc_attr( $args['alt'] ),
 		esc_url( $url ),
-		esc_attr( "$url2x 2x" ),
+		esc_url( $url2x ) . ' 2x',
 		esc_attr( join( ' ', $class ) ),
 		(int) $args['height'],
 		(int) $args['width'],