[wp-trac] [WordPress Trac] #12780: get_search_query() can be confusing as it doesn't sanitize
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 31 02:29:56 UTC 2010
#12780: get_search_query() can be confusing as it doesn't sanitize
--------------------------+-------------------------------------------------
Reporter: Viper007Bond | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.0
Component: Template | Version: 3.0
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
Comment(by Viper007Bond):
Replying to [comment:3 nacin]:
> Deprecating it for get_the_search_query() doesn't do much good. We can't
even get plugin authors to obey the deprecated API.
>
> I suggest we break back compat here and escape it. The Codex is wrong,
Twenty Ten is wrong, many many themes are inviting XSS.
>
> If anyone wants the unescaped value, they can call the query var
themselves.
That sounds like an acceptable solution to me.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12780#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list