diff --git src/wp-admin/includes/class-wp-screen.php src/wp-admin/includes/class-wp-screen.php
index 739a182ded..c8aa2ccbc4 100644
--- src/wp-admin/includes/class-wp-screen.php
+++ src/wp-admin/includes/class-wp-screen.php
@@ -882,7 +882,7 @@ final class WP_Screen {
 							$panel_id = "tab-panel-{$tab['id']}";
 							?>
 
-							<li id="<?php echo esc_attr( $link_id ); ?>"<?php echo $class; ?>>
+							<li id="<?php echo esc_attr( $link_id ); ?>"<?php echo esc_attr( $class ); ?>>
 								<a href="<?php echo esc_url( "#$panel_id" ); ?>" aria-controls="<?php echo esc_attr( $panel_id ); ?>">
 									<?php echo esc_html( $tab['title'] ); ?>
 								</a>
@@ -896,7 +896,7 @@ final class WP_Screen {
 
 					<?php if ( $help_sidebar ) : ?>
 					<div class="contextual-help-sidebar">
-						<?php echo $help_sidebar; ?>
+						<?php echo esc_html( $help_sidebar ); ?>
 					</div>
 					<?php endif; ?>
 
@@ -907,10 +907,10 @@ final class WP_Screen {
 							$panel_id = "tab-panel-{$tab['id']}";
 							?>
 
-							<div id="<?php echo esc_attr( $panel_id ); ?>" class="<?php echo $classes; ?>">
+							<div id="<?php echo esc_attr( $panel_id ); ?>" class="<?php echo esc_attr( $classes ); ?>">
 								<?php
 								// Print tab content.
-								echo $tab['content'];
+								echo esc_html( $tab['content'] );
 
 								// If it exists, fire tab callback.
 								if ( ! empty( $tab['callback'] ) ) {
@@ -1160,7 +1160,7 @@ final class WP_Screen {
 		$legend = ! empty( $columns['_title'] ) ? $columns['_title'] : __( 'Columns' );
 		?>
 		<fieldset class="metabox-prefs">
-		<legend><?php echo $legend; ?></legend>
+		<legend><?php echo esc_html( $legend ); ?></legend>
 		<?php
 		$special = array( '_title', 'cb', 'comment', 'media', 'name', 'title', 'username', 'blogname' );
 
@@ -1183,7 +1183,7 @@ final class WP_Screen {
 
 			$id = "$column-hide";
 			echo '<label>';
-			echo '<input class="hide-column-tog" name="' . $id . '" type="checkbox" id="' . $id . '" value="' . $column . '"' . checked( ! in_array( $column, $hidden, true ), true, false ) . ' />';
+			echo '<input class="hide-column-tog" name="' . esc_attr( $id ) . '" type="checkbox" id="' . esc_attr( $id ) . '" value="' . esc_attr( $column ) . '"' . checked( ! in_array( $column, $hidden, true ), true, false ) . ' />';
 			echo "$title</label>\n";
 		}
 		?>