diff --git a/wp-admin/menu-header.php b/wp-admin/menu-header.php
index 1f481f8634..7037f15c54 100644
--- a/wp-admin/menu-header.php
+++ b/wp-admin/menu-header.php
@@ -123,7 +123,7 @@ function _wp_menu_output( $menu, $submenu, $submenu_as_parent = true ) {
 		 * as special cases.
 		 */
 		if ( ! empty( $item[6] ) ) {
-			$img = '<img src="' . $item[6] . '" alt="" />';
+			$img = '<img src="' . esc_url( $item[6] ) . '" alt="" />';
 
 			if ( 'none' === $item[6] || 'div' === $item[6] ) {
 				$img = '<br />';