insufficient sanitization in get_body_class()
|Reported by:||Denis-de-Bernardy||Owned by:|
following up on #11439, the template file could be something like foo.bar.php, which is an invalid css class.
likewise, the $class argument could potentially contain unsanitized class names.
we should change sanitize_html_class so as to make its second argument default to an empty string, and array map the resulting mess accordingly.
the same might apply for get_post_class()
(lastly, and slightly off topic, there is a preg_split() call with a \s class in it. at some point, we'll need to make this stuff work with utf8 chars, which would require the /u delimiter.)