[wp-trac] [WordPress Trac] #12780: get_search_query() can be confusing as it doesn't sanitize
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 31 01:37:05 UTC 2010
#12780: get_search_query() can be confusing as it doesn't sanitize
--------------------------+-------------------------------------------------
Reporter: Viper007Bond | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: General | Version: 3.0
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
`the_search_query()` is the recommended way to display what a user
searched for. But what if you need `the_search_query()`'s output for use
in PHP, i.e. the value returned? `get_search_query()` seems like the
correct function to use, but they differ in one very important way --
`get_search_query()` '''does not escape it's output at all'''.
It's an easy mistake as most `get_` functions are identical to their
echo'ing counterparts and most users don't realize the difference. This
can easily result in a XSS attack.
I'm not sure what the solution to this is, but there should be an easier
way to get a safe search query than having the user call `esc_attr()`,
`get_search_query()`, etc.
Perhaps deprecated `get_search_query()` and introduce
`get_the_search_query` or something.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12780>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list