diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 7a3261514..32720c9dc 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -3002,4 +3002,23 @@ function sanitize_mime_type( $mime_type ) {
 	return apply_filters( 'sanitize_mime_type', $sani_mime_type, $mime_type );
 }
 
+/**
+ * Sanitize space or carriage return separated URLs that are used to send trackbacks.
+ *
+ * @since 3.4.0
+ *
+ * @param string $to_ping Space or carriage return separated URLs
+ * @return string URLs starting with the http or https protocol, separated by a carriage return.
+ */
+function sanitize_trackback_urls( $to_ping ) {
+	$urls_to_ping = preg_split( '/\r\n\t /', trim( $to_ping ), -1, PREG_SPLIT_NO_EMPTY );
+	foreach ( $urls_to_ping as $k => $url ) {
+		if ( !preg_match( '#^https?://.#i', $url ) )
+			unset( $urls_to_ping[$k] );
+	}
+	$urls_to_ping = array_map( 'esc_url_raw', $urls_to_ping );
+	$urls_to_ping = implode( "\n", $urls_to_ping );
+	return apply_filters( 'sanitize_trackback_urls', $urls_to_ping, $to_ping );
+}
+
 ?>
diff --git a/wp-includes/post.php b/wp-includes/post.php
index 624166910..7583d8e3c 100644
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -2537,7 +2537,7 @@ function wp_insert_post($postarr, $wp_error = false) {
 		$ping_status = get_option('default_ping_status');
 
 	if ( isset($to_ping) )
-		$to_ping = preg_replace('|\s+|', "\n", $to_ping);
+		$to_ping = sanitize_trackback_urls( $to_ping );
 	else
 		$to_ping = '';
 
@@ -3064,7 +3064,7 @@ function get_pung($post_id) {
 function get_to_ping($post_id) {
 	global $wpdb;
 	$to_ping = $wpdb->get_var( $wpdb->prepare( "SELECT to_ping FROM $wpdb->posts WHERE ID = %d", $post_id ));
-	$to_ping = trim($to_ping);
+	$to_ping = sanitize_trackback_urls( $to_ping );
 	$to_ping = preg_split('/\s/', $to_ping, -1, PREG_SPLIT_NO_EMPTY);
 	$to_ping = apply_filters('get_to_ping',  $to_ping);
 	return $to_ping;