diff --git src/wp-includes/kses.php src/wp-includes/kses.php
index 0cf4ce14c4..fde35e8638 100644
--- src/wp-includes/kses.php
+++ src/wp-includes/kses.php
@@ -549,7 +549,7 @@ function wp_kses_one_attr( $string, $element ) {
 	$allowed_html = wp_kses_allowed_html( 'post' );
 	$allowed_protocols = wp_allowed_protocols();
 	$string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
-	
+
 	// Preserve leading and trailing whitespace.
 	$matches = array();
 	preg_match('/^\s*/', $string, $matches);
@@ -561,7 +561,7 @@ function wp_kses_one_attr( $string, $element ) {
 	} else {
 		$string = substr( $string, strlen( $lead ), -strlen( $trail ) );
 	}
-	
+
 	// Parse attribute name and value from input.
 	$split = preg_split( '/\s*=\s*/', $string, 2 );
 	$name = $split[0];
@@ -598,7 +598,7 @@ function wp_kses_one_attr( $string, $element ) {
 		$value = '';
 		$vless = 'y';
 	}
-	
+
 	// Sanitize attribute by name.
 	wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
 
@@ -1062,7 +1062,7 @@ function wp_kses_attr_parse( $element ) {
 	} else {
 		$xhtml_slash = '';
 	}
-	
+
 	// Split it
 	$attrarr = wp_kses_hair_parse( $attr );
 	if ( false === $attrarr ) {
@@ -1072,7 +1072,7 @@ function wp_kses_attr_parse( $element ) {
 	// Make sure all input is returned by adding front and back matter.
 	array_unshift( $attrarr, $begin . $slash . $elname );
 	array_push( $attrarr, $xhtml_slash . $end );
-	
+
 	return $attrarr;
 }
 
@@ -1215,8 +1215,11 @@ function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) {
  * @param array  $allowed_protocols Allowed protocols to keep
  * @return string Filtered content
  */
-function wp_kses_bad_protocol($string, $allowed_protocols) {
-	$string = wp_kses_no_null($string);
+function wp_kses_bad_protocol( $string, $allowed_protocols = array() ) {
+	if ( empty( $allowed_protocols ) ) {
+		$allowed_protocols = wp_allowed_protocols();
+	}
+	$string     = wp_kses_no_null( $string );
 	$iterations = 0;
 
 	do {
@@ -1693,9 +1696,6 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 	$css = wp_kses_no_null($css);
 	$css = str_replace(array("\n","\r","\t"), '', $css);
 
-	if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
-		return '';
-
 	$css_array = explode( ';', trim( $css ) );
 
 	/**
@@ -1710,6 +1710,7 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 	$allowed_attr = apply_filters( 'safe_style_css', array(
 		'background',
 		'background-color',
+		'background-image',
 
 		'border',
 		'border-width',
@@ -1778,25 +1779,66 @@ function safecss_filter_attr( $css, $deprecated = '' ) {
 		'list-style-type',
 	) );
 
-	if ( empty($allowed_attr) )
+
+	/*
+	 * CSS attributes that accept URL data types.
+	 *
+	 * This is in accordance to the CSS spec and unrelated to
+	 * the sub-set of supported attributes above.
+	 *
+	 * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url
+	 */
+	$css_url_data_types = array(
+		'background',
+		'background-image',
+
+		'cursor',
+
+		'list-style',
+		'list-style-image',
+	);
+
+	if ( empty( $allowed_attr ) ) {
 		return $css;
+	}
 
 	$css = '';
 	foreach ( $css_array as $css_item ) {
 		if ( $css_item == '' )
 			continue;
-		$css_item = trim( $css_item );
-		$found = false;
+		$css_item        = trim( $css_item );
+		$css_test_string = $css_item;
+		$found           = false;
+		$url_attr        = false;
 		if ( strpos( $css_item, ':' ) === false ) {
 			$found = true;
 		} else {
-			$parts = explode( ':', $css_item );
-			if ( in_array( trim( $parts[0] ), $allowed_attr ) )
+			$parts = explode( ':', $css_item, 2 );
+			if ( in_array( trim( $parts[0] ), $allowed_attr ) ) {
 				$found = true;
+			}
+			if ( $found && in_array( trim( $parts[0] ), $css_url_data_types, true ) ) {
+				$url_attr = true;
+			}
+		}
+		if ( $found && $url_attr ) {
+			// Simplified: matches the sequence `url(*)`.
+			preg_match_all( '/url\(\s*([^)]+)\s*\)/', $parts[1],$url_matches );
+			foreach ( $url_matches[1] as $url_match ) {
+				// Extract URL from each of the matches above.
+				preg_match( '/^([\'\"]?)\s*(.*)\s*(\g1)$/', $url_match, $url_pieces );
+				if ( empty( $url_pieces ) || $url_pieces[1] !== wp_kses_bad_protocol( $url_pieces[1] ) ) {
+					$found = false;
+					break;
+				} else {
+					$css_test_string = str_replace( $url_match, '', $css_test_string );
+				}
+			}
 		}
-		if ( $found ) {
-			if( $css != '' )
+		if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) {
+			if ( $css != '' ) {
 				$css .= ';';
+			}
 			$css .= $css_item;
 		}
 	}