--- a/wp/wp-admin/admin-header.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-admin/admin-header.php	Fri Sep 05 18:40:08 2025 +0200
@@ -14,7 +14,7 @@
 /**
  * In case admin-header.php is included in a function.
  *
- * @global string    $title
+ * @global string    $title              The title of the current screen.
  * @global string    $hook_suffix
  * @global WP_Screen $current_screen     WordPress current screen object.
  * @global WP_Locale $wp_locale          WordPress date and time locale object.
@@ -109,7 +109,7 @@
 <?php
 
 /**
- * Enqueue scripts for all admin pages.
+ * Fires when enqueuing scripts for all admin pages.
  *
  * @since 2.8.0
  *
@@ -242,7 +242,7 @@
 $admin_body_classes = apply_filters( 'admin_body_class', '' );
 $admin_body_classes = ltrim( $admin_body_classes . ' ' . $admin_body_class );
 ?>
-<body class="wp-admin wp-core-ui no-js <?php echo $admin_body_classes; ?>">
+<body class="wp-admin wp-core-ui no-js <?php echo esc_attr( $admin_body_classes ); ?>">
 <script type="text/javascript">
 	document.body.className = document.body.className.replace('no-js','js');
 </script>