Security update to version 4.8.2

Security issues:
- $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we���ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco.
- A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
- A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
- A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by ��������� (Chen Ruiqi).
- An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
- A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
- A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

And 6 other fixes:

* Emoji
- #41584 - Upgrade Twemoji to 2.5.0
- #41852 - Fix UN flag test by returning the correct value.

*I18N
- #41794 - Support numbers in locales during installation

* Security
- #13377 - Add more sanitization in _cleanup_header_comment

*Widgets
- #41596 - New Text Widget recognizes HTML but does not render it in the front end
- #41622 - Text widget can show DOMDocument::loadHTML() warnings in admin when is_legacy_widget method is called

More on https://codex.wordpress.org/Version_4.8.2

(morr)