Index: formatting.php
===================================================================
--- formatting.php	(revision 35622)
+++ formatting.php	(working copy)
@@ -1641,21 +1641,26 @@
  * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
  * string then it will return the alternative value supplied.
  *
- * @todo Expand to support the full range of CDATA that a class attribute can contain.
- *
  * @since 2.8.0
  *
  * @param string $class    The classname to be sanitized
  * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
  * 	Defaults to an empty string.
+ * @param bool $strict Optional, since 4.4.0. When true, a blacklist of characters will be striped out from the $class, else a whitelist will be used.
  * @return string The sanitized value
  */
-function sanitize_html_class( $class, $fallback = '' ) {
+function sanitize_html_class( $class, $fallback = '', $strict = false ) {
 	//Strip out any % encoded octets
 	$sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class );
 
-	//Limit to A-Z,a-z,0-9,_,-
-	$sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );
+	if ( false === $strict ) {
+		// Limit to A-Z,a-z,0-9,_,-, the whitelist
+		$pattern = '/[^A-Za-z0-9@_-]/';
+	} else { // Since 4.4.0
+		// Remove meaningful CSS characters, the blacklist
+ 		$pattern = '/[\\\\#%&\',-\/:;<=>@`~\^\$\.\!\[\]\|\{\}\(\)\?\*\+"\s]/'; 
+ 	}
+	$sanitized = preg_replace( $pattern, '', $sanitized );
 
 	if ( '' == $sanitized && $fallback ) {
 		return sanitize_html_class( $fallback );