diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 6f74d9faf0..33d606e483 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -2713,11 +2713,11 @@ function wp_rel_nofollow( $text ) {
  */
 function wp_rel_nofollow_callback( $matches ) {
 	$text = $matches[1];
-	$atts = shortcode_parse_atts( $matches[1] );
+	$atts = wp_kses_hair( $matches[1], wp_allowed_protocols() );
 	$rel  = 'nofollow';
 
 	if ( ! empty( $atts['href'] ) ) {
-		$href_parts  = wp_parse_url( $atts['href'] );
+		$href_parts  = wp_parse_url( $atts['href']['value'] );
 		$href_scheme = isset( $href_parts['scheme'] ) ? $href_parts['scheme'] : '';
 		$href_host   = isset( $href_parts['host'] ) ? $href_parts['host'] : '';
 		$home_parts  = wp_parse_url( home_url() );
@@ -2730,7 +2730,7 @@ function wp_rel_nofollow_callback( $matches ) {
 	}
 
 	if ( ! empty( $atts['rel'] ) ) {
-		$parts = array_map( 'trim', explode( ' ', $atts['rel'] ) );
+		$parts = array_map( 'trim', explode( ' ', $atts['rel']['value'] ) );
 		if ( false === array_search( 'nofollow', $parts ) ) {
 			$parts[] = 'nofollow';
 		}
@@ -2739,7 +2739,11 @@ function wp_rel_nofollow_callback( $matches ) {
 
 		$html = '';
 		foreach ( $atts as $name => $value ) {
-			$html .= "{$name}=\"" . esc_attr( $value ) . "\" ";
+			if ( isset( $value['vless'] ) && 'y' === $value['vless'] ) {
+				$html .= $name . ' ';
+			} else {
+				$html .= "{$name}=\"" . esc_attr( $value['value'] ) . '" ';
+			}
 		}
 		$text = trim( $html );
 	}