diff --git src/wp-includes/general-template.php src/wp-includes/general-template.php
index a2b1029064..627311772d 100644
--- src/wp-includes/general-template.php
+++ src/wp-includes/general-template.php
@@ -1299,7 +1299,7 @@ function _wp_render_title_tag() {
 		return;
 	}
 
-	echo '<title>' . wp_get_document_title() . '</title>' . "\n";
+	echo '<title>' . esc_html( wp_get_document_title() ) . '</title>' . "\n";
 }
 
 /**
diff --git src/wp-includes/load.php src/wp-includes/load.php
index 3db556583c..bfda00cd14 100644
--- src/wp-includes/load.php
+++ src/wp-includes/load.php
@@ -495,7 +495,7 @@ function timer_stop( $display = 0, $precision = 3 ) {
 	}
 
 	if ( $display ) {
-		echo $r;
+		echo esc_html( $r );
 	}
 
 	return $r;
diff --git src/wp-includes/theme-compat/header.php src/wp-includes/theme-compat/header.php
index cbd84eb20e..264c5389ea 100644
--- src/wp-includes/theme-compat/header.php
+++ src/wp-includes/theme-compat/header.php
@@ -21,7 +21,7 @@ _deprecated_file(
 <link rel="profile" href="https://gmpg.org/xfn/11" />
 <meta http-equiv="Content-Type" content="<?php bloginfo( 'html_type' ); ?>; charset=<?php bloginfo( 'charset' ); ?>" />
 
-<title><?php echo wp_get_document_title(); ?></title>
+<title><?php echo esc_html( wp_get_document_title() ); ?></title>
 
 <link rel="stylesheet" href="<?php bloginfo( 'stylesheet_url' ); ?>" type="text/css" media="screen" />
 <link rel="pingback" href="<?php bloginfo( 'pingback_url' ); ?>" />
@@ -54,7 +54,7 @@ if ( is_singular() ) {
 
 <div id="header" role="banner">
 	<div id="headerimg">
-		<h1><a href="<?php echo home_url(); ?>/"><?php bloginfo( 'name' ); ?></a></h1>
+		<h1><a href="<?php echo esc_url( home_url() ); ?>/"><?php bloginfo( 'name' ); ?></a></h1>
 		<div class="description"><?php bloginfo( 'description' ); ?></div>
 	</div>
 </div>