Index: wp-content/themes/twentythirteen/functions.php
===================================================================
--- wp-content/themes/twentythirteen/functions.php	(revision 29396)
+++ wp-content/themes/twentythirteen/functions.php	(working copy)
@@ -146,7 +146,7 @@
 			'family' => urlencode( implode( '|', $font_families ) ),
 			'subset' => urlencode( 'latin,latin-ext' ),
 		);
-		$fonts_url = add_query_arg( $query_args, "//fonts.googleapis.com/css" );
+		$fonts_url = add_query_arg( $query_args, '//fonts.googleapis.com/css' );
 	}
 
 	return $fonts_url;
@@ -319,7 +319,7 @@
  */
 function twentythirteen_entry_meta() {
 	if ( is_sticky() && is_home() && ! is_paged() )
-		echo '<span class="featured-post">' . __( 'Sticky', 'twentythirteen' ) . '</span>';
+		echo '<span class="featured-post">' . esc_html__( 'Sticky', 'twentythirteen' ) . '</span>';
 
 	if ( ! has_post_format( 'link' ) && 'post' == get_post_type() )
 		twentythirteen_entry_date();
@@ -413,7 +413,7 @@
 		'post_type'      => 'attachment',
 		'post_mime_type' => 'image',
 		'order'          => 'ASC',
-		'orderby'        => 'menu_order ID'
+		'orderby'        => 'menu_order ID',
 	) );
 
 	// If there is more than 1 attachment in a gallery...
Index: wp-content/themes/twentythirteen/inc/custom-header.php
===================================================================
--- wp-content/themes/twentythirteen/inc/custom-header.php	(revision 29396)
+++ wp-content/themes/twentythirteen/inc/custom-header.php	(working copy)
@@ -217,11 +217,16 @@
  */
 function twentythirteen_admin_header_image() {
 	?>
-	<div id="headimg" style="background: url(<?php header_image(); ?>) no-repeat scroll top; background-size: 1600px auto;">
-		<?php $style = ' style="color:#' . get_header_textcolor() . ';"'; ?>
+	<div id="headimg" style="background: url(<?php echo esc_url( get_header_image() ); ?>) no-repeat scroll top; background-size: 1600px auto;">
+		<?php
+		$style = 'color: #' . get_header_textcolor() . ';';
+		if ( ! display_header_text() ) {
+			$style = 'display: none;';
+		}
+		?>
 		<div class="home-link">
-			<h1 class="displaying-header-text"><a id="name"<?php echo $style; ?> onclick="return false;" href="#"><?php bloginfo( 'name' ); ?></a></h1>
-			<h2 id="desc" class="displaying-header-text"<?php echo $style; ?>><?php bloginfo( 'description' ); ?></h2>
+			<h1 class="displaying-header-text"><a id="name" style="<?php echo esc_attr( $style ); ?>" onclick="return false;" href="#"><?php bloginfo( 'name' ); ?></a></h1>
+			<h2 id="desc" class="displaying-header-text" style="<?php echo esc_attr( $style ); ?>"><?php bloginfo( 'description' ); ?></h2>
 		</div>
 	</div>
 <?php }
Index: wp-content/themes/twentythirteen/taxonomy-post_format.php
===================================================================
--- wp-content/themes/twentythirteen/taxonomy-post_format.php	(revision 29396)
+++ wp-content/themes/twentythirteen/taxonomy-post_format.php	(working copy)
@@ -20,7 +20,7 @@
 
 		<?php if ( have_posts() ) : ?>
 			<header class="archive-header">
-				<h1 class="archive-title"><?php printf( __( '%s Archives', 'twentythirteen' ), '<span>' . get_post_format_string( get_post_format() ) . '</span>' ); ?></h1>
+				<h1 class="archive-title"><?php printf( __( '%s Archives', 'twentythirteen' ), '<span>' . esc_html( get_post_format_string( get_post_format() ) ) . '</span>' ); ?></h1>
 			</header><!-- .archive-header -->
 
 			<?php /* The loop */ ?>