diff -r be944660c56a -r 3d72ae0968f4 wp/wp-admin/menu-header.php
--- a/wp/wp-admin/menu-header.php	Wed Sep 21 18:19:35 2022 +0200
+++ b/wp/wp-admin/menu-header.php	Tue Sep 27 16:37:53 2022 +0200
@@ -59,7 +59,7 @@
  * @global string $parent_file
  * @global string $submenu_file
  * @global string $plugin_page
- * @global string $typenow
+ * @global string $typenow      The post type of the current screen.
  *
  * @param array $menu
  * @param array $submenu
@@ -123,12 +123,13 @@
 		 * as special cases.
 		 */
 		if ( ! empty( $item[6] ) ) {
-			$img = '<img src="' . $item[6] . '" alt="" />';
+			$img = '<img src="' . esc_url( $item[6] ) . '" alt="" />';
 
 			if ( 'none' === $item[6] || 'div' === $item[6] ) {
 				$img = '<br />';
 			} elseif ( 0 === strpos( $item[6], 'data:image/svg+xml;base64,' ) ) {
-				$img       = '<br />';
+				$img = '<br />';
+				// The value is base64-encoded data, so esc_attr() is used here instead of esc_url().
 				$img_style = ' style="background-image:url(\'' . esc_attr( $item[6] ) . '\')"';
 				$img_class = ' svg';
 			} elseif ( 0 === strpos( $item[6], 'dashicons-' ) ) {