Index: wp-content/themes/twentyeleven/content-single.php
===================================================================
--- wp-content/themes/twentyeleven/content-single.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-single.php	(working copy)
@@ -15,10 +15,10 @@
 		<div class="entry-meta">
 			<?php
 				printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-					get_permalink(),
+					esc_url( get_permalink() ),
 					get_the_date( 'c' ),
 					get_the_date(),
-					get_author_posts_url( get_the_author_meta( 'ID' ) ),
+					esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 					sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 					get_the_author()
 				);
@@ -45,10 +45,10 @@
 				/* translators: used between list items, there is a space after the comma */
 				get_the_category_list( __( ', ', 'twentyeleven' ) ),
 				$tag_list,
-				get_permalink(),
+				esc_url( get_permalink() ),
 				the_title_attribute( 'echo=0' ),
 				get_the_author(),
-				get_author_posts_url( get_the_author_meta( 'ID' ) )
+				esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) )
 			);
 		?>
 		<?php edit_post_link( __( 'Edit', 'twentyeleven' ), '<span class="edit-link">', '</span>' ); ?>
@@ -62,7 +62,7 @@
 				<h2><?php printf( esc_attr__( 'About %s', 'twentyeleven' ), get_the_author() ); ?></h2>
 				<?php the_author_meta( 'description' ); ?>
 				<div id="author-link">
-					<a href="<?php echo get_author_posts_url( get_the_author_meta( 'ID' ) ); ?>">
+					<a href="<?php echo esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ); ?>">
 						<?php printf( __( 'View all posts by %s <span class="meta-nav">&rarr;</span>', 'twentyeleven' ), get_the_author() ); ?>
 					</a>
 				</div><!-- #author-link	-->
Index: wp-content/themes/twentyeleven/content-aside.php
===================================================================
--- wp-content/themes/twentyeleven/content-aside.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-aside.php	(working copy)
@@ -41,10 +41,10 @@
 		<footer class="entry-meta">
 			<?php
 				printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-					get_permalink(),
+					esc_url( get_permalink() ),
 					get_the_date( 'c' ),
 					get_the_date(),
-					get_author_posts_url( get_the_author_meta( 'ID' ) ),
+					esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 					sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 					get_the_author()
 				);
Index: wp-content/themes/twentyeleven/author.php
===================================================================
--- wp-content/themes/twentyeleven/author.php	(revision 18052)
+++ wp-content/themes/twentyeleven/author.php	(working copy)
@@ -24,7 +24,7 @@
 				?>
 
 				<header class="page-header">
-					<h1 class="page-title author"><?php printf( __( 'Author Archives: %s', 'twentyeleven' ), '<span class="vcard"><a class="url fn n" href="' . get_author_posts_url( get_the_author_meta( "ID" ) ) . '" title="' . esc_attr( get_the_author() ) . '" rel="me">' . get_the_author() . '</a></span>' ); ?></h1>
+					<h1 class="page-title author"><?php printf( __( 'Author Archives: %s', 'twentyeleven' ), '<span class="vcard"><a class="url fn n" href="' . esc_url( get_author_posts_url( get_the_author_meta( "ID" ) ) ) . '" title="' . esc_attr( get_the_author() ) . '" rel="me">' . get_the_author() . '</a></span>' ); ?></h1>
 				</header>
 
 				<?php
Index: wp-content/themes/twentyeleven/content-link.php
===================================================================
--- wp-content/themes/twentyeleven/content-link.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-link.php	(working copy)
@@ -41,10 +41,10 @@
 		<footer class="entry-meta">
 			<?php
 				printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-					get_permalink(),
+					esc_url( get_permalink() ),
 					get_the_date( 'c' ),
 					get_the_date(),
-					get_author_posts_url( get_the_author_meta( 'ID' ) ),
+					esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 					sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 					get_the_author()
 				);
Index: wp-content/themes/twentyeleven/content-featured.php
===================================================================
--- wp-content/themes/twentyeleven/content-featured.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-featured.php	(working copy)
@@ -16,10 +16,10 @@
 		<div class="entry-meta">
 			<?php
 				printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-					get_permalink(),
+					esc_url( get_permalink() ),
 					get_the_date( 'c' ),
 					get_the_date(),
-					get_author_posts_url( get_the_author_meta( 'ID' ) ),
+					esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 					sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 					get_the_author()
 				);
@@ -46,7 +46,7 @@
 				/* translators: used between list items, there is a space after the comma */
 				get_the_category_list( __( ', ', 'twentyeleven' ) ),
 				$tag_list,
-				get_permalink(),
+				esc_url( get_permalink() ),
 				the_title_attribute( 'echo=0' )
 			);
 		?>
Index: wp-content/themes/twentyeleven/content.php
===================================================================
--- wp-content/themes/twentyeleven/content.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content.php	(working copy)
@@ -23,10 +23,10 @@
 			<div class="entry-meta">
 				<?php
 					printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-						get_permalink(),
+						esc_url( get_permalink() ),
 						get_the_date( 'c' ),
 						get_the_date(),
-						get_author_posts_url( get_the_author_meta( 'ID' ) ),
+						esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 						sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 						get_the_author()
 					);
Index: wp-content/themes/twentyeleven/content-image.php
===================================================================
--- wp-content/themes/twentyeleven/content-image.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-image.php	(working copy)
@@ -40,10 +40,10 @@
 			<div class="entry-meta">
 				<?php
 					printf( __( '<a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-						get_permalink(),
+						esc_url( get_permalink() ),
 						get_the_date( 'c' ),
 						get_the_date(),
-						get_author_posts_url( get_the_author_meta( 'ID' ) ),
+						esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 						sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 						get_the_author()
 					);
Index: wp-content/themes/twentyeleven/content-status.php
===================================================================
--- wp-content/themes/twentyeleven/content-status.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-status.php	(working copy)
@@ -42,10 +42,10 @@
 		<footer class="entry-meta">
 			<?php
 				printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-					get_permalink(),
+					esc_url( get_permalink() ),
 					get_the_date( 'c' ),
 					get_the_date(),
-					get_author_posts_url( get_the_author_meta( 'ID' ) ),
+					esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 					sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 					get_the_author()
 				);
Index: wp-content/themes/twentyeleven/content-quote.php
===================================================================
--- wp-content/themes/twentyeleven/content-quote.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-quote.php	(working copy)
@@ -19,10 +19,10 @@
 			<div class="entry-meta">
 				<?php
 					printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-						get_permalink(),
+						esc_url( get_permalink() ),
 						get_the_date( 'c' ),
 						get_the_date(),
-						get_author_posts_url( get_the_author_meta( 'ID' ) ),
+						esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 						sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 						get_the_author()
 					);
Index: wp-content/themes/twentyeleven/content-gallery.php
===================================================================
--- wp-content/themes/twentyeleven/content-gallery.php	(revision 18052)
+++ wp-content/themes/twentyeleven/content-gallery.php	(working copy)
@@ -20,10 +20,10 @@
 		<div class="entry-meta">
 			<?php
 				printf( __( '<span class="sep">Posted on </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'twentyeleven' ),
-					get_permalink(),
+					esc_url( get_permalink() ),
 					get_the_date( 'c' ),
 					get_the_date(),
-					get_author_posts_url( get_the_author_meta( 'ID' ) ),
+					esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
 					sprintf( esc_attr__( 'View all posts by %s', 'twentyeleven' ), get_the_author() ),
 					get_the_author()
 				);
@@ -54,7 +54,7 @@
 				</figure><!-- .gallery-thumb -->
 
 				<p><em><?php printf( _n( 'This gallery contains <a %1$s>%2$s photo</a>.', 'This gallery contains <a %1$s>%2$s photos</a>.', $total_images, 'twentyeleven' ),
-						'href="' . get_permalink() . '" title="' . sprintf( esc_attr__( 'Permalink to %s', 'twentyeleven' ), the_title_attribute( 'echo=0' ) ) . '" rel="bookmark"',
+						'href="' . esc_url( get_permalink() ) . '" title="' . sprintf( esc_attr__( 'Permalink to %s', 'twentyeleven' ), the_title_attribute( 'echo=0' ) ) . '" rel="bookmark"',
 						number_format_i18n( $total_images )
 					); ?></em></p>
 			<?php endif; ?>
Index: wp-content/themes/twentyeleven/functions.php
===================================================================
--- wp-content/themes/twentyeleven/functions.php	(revision 18052)
+++ wp-content/themes/twentyeleven/functions.php	(working copy)
@@ -325,7 +325,7 @@
  * Returns a "Continue Reading" link for excerpts
  */
 function twentyeleven_continue_reading_link() {
-	return ' <a href="'. get_permalink() . '">' . __( 'Continue reading <span class="meta-nav">&rarr;</span>', 'twentyeleven' ) . '</a>';
+	return ' <a href="'. esc_url( get_permalink() ) . '">' . __( 'Continue reading <span class="meta-nav">&rarr;</span>', 'twentyeleven' ) . '</a>';
 }
 
 /**
Index: wp-content/themes/twentyeleven/image.php
===================================================================
--- wp-content/themes/twentyeleven/image.php	(revision 18052)
+++ wp-content/themes/twentyeleven/image.php	(working copy)
@@ -29,10 +29,10 @@
 								printf( __( '<span class="meta-prep meta-prep-entry-date">Published </span> <span class="entry-date"><abbr class="published" title="%1$s">%2$s</abbr></span> at <a href="%3$s" title="Link to full-size image">%4$s &times; %5$s</a> in <a href="%6$s" title="Return to %7$s" rel="gallery">%7$s</a>', 'twentyeleven' ),
 									esc_attr( get_the_time() ),
 									get_the_date(),
-									wp_get_attachment_url(),
+									esc_url( wp_get_attachment_url() ),
 									$metadata['width'],
 									$metadata['height'],
-									get_permalink( $post->post_parent ),
+									esc_url( get_permalink( $post->post_parent ) ),
 									get_the_title( $post->post_parent )
 								);
 							?>
@@ -69,7 +69,7 @@
 		$next_attachment_url = wp_get_attachment_url();
 	}
 ?>
-								<a href="<?php echo $next_attachment_url; ?>" title="<?php echo esc_attr( get_the_title() ); ?>" rel="attachment"><?php
+								<a href="<?php echo esc_url( $next_attachment_url ); ?>" title="<?php echo esc_attr( get_the_title() ); ?>" rel="attachment"><?php
 								$attachment_size = apply_filters( 'twentyeleven_attachment_size', 848 );
 								echo wp_get_attachment_image( $post->ID, array( $attachment_size, 1024 ) ); // filterable image width with 1024px limit for image height.
 								?></a>
@@ -92,9 +92,9 @@
 
 					<footer class="entry-meta">
 						<?php if ( comments_open() && pings_open() ) : // Comments and trackbacks open ?>
-							<?php printf( __( '<a class="comment-link" href="#respond" title="Post a comment">Post a comment</a> or leave a trackback: <a class="trackback-link" href="%s" title="Trackback URL for your post" rel="trackback">Trackback URL</a>.', 'twentyeleven' ), get_trackback_url() ); ?>
+							<?php printf( __( '<a class="comment-link" href="#respond" title="Post a comment">Post a comment</a> or leave a trackback: <a class="trackback-link" href="%s" title="Trackback URL for your post" rel="trackback">Trackback URL</a>.', 'twentyeleven' ), esc_url( get_trackback_url() ) ); ?>
 						<?php elseif ( ! comments_open() && pings_open() ) : // Only trackbacks open ?>
-							<?php printf( __( 'Comments are closed, but you can leave a trackback: <a class="trackback-link" href="%s" title="Trackback URL for your post" rel="trackback">Trackback URL</a>.', 'twentyeleven' ), get_trackback_url() ); ?>
+							<?php printf( __( 'Comments are closed, but you can leave a trackback: <a class="trackback-link" href="%s" title="Trackback URL for your post" rel="trackback">Trackback URL</a>.', 'twentyeleven' ), esc_url( get_trackback_url() ) ); ?>
 						<?php elseif ( comments_open() && ! pings_open() ) : // Only comments open ?>
 							<?php _e( 'Trackbacks are closed, but you can <a class="comment-link" href="#respond" title="Post a comment">post a comment</a>.', 'twentyeleven' ); ?>
 						<?php elseif ( ! comments_open() && ! pings_open() ) : // Comments and trackbacks closed ?>