Lack of Sanitization and Insufficient Authentication

The `language_attributes()` function was not escaping output, which could lead to an XSS vulnerability if combined with other vulnerabilities. To fix that, the output was [passed through `esc_attr()` in r42259](https://core.trac.wordpress.org/changeset/42259), which was part of [the 4.9.1 release](https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/).