[wp-trac] [WordPress Trac] #12780: get_search_query() can be confusing as it doesn't sanitize

WordPress Trac wp-trac at lists.automattic.com
Wed Mar 31 01:37:05 UTC 2010


#12780: get_search_query() can be confusing as it doesn't sanitize
--------------------------+-------------------------------------------------
 Reporter:  Viper007Bond  |       Owner:            
     Type:  defect (bug)  |      Status:  new       
 Priority:  normal        |   Milestone:  Unassigned
Component:  General       |     Version:  3.0       
 Severity:  normal        |    Keywords:            
--------------------------+-------------------------------------------------
 `the_search_query()` is the recommended way to display what a user
 searched for. But what if you need `the_search_query()`'s output for use
 in PHP, i.e. the value returned? `get_search_query()` seems like the
 correct function to use, but they differ in one very important way --
 `get_search_query()` '''does not escape it's output at all'''.

 It's an easy mistake as most `get_` functions are identical to their
 echo'ing counterparts and most users don't realize the difference. This
 can easily result in a XSS attack.

 I'm not sure what the solution to this is, but there should be an easier
 way to get a safe search query than having the user call `esc_attr()`,
 `get_search_query()`, etc.

 Perhaps deprecated `get_search_query()` and introduce
 `get_the_search_query` or something.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12780>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list