From 8c65cfc7f4bd7459aaa3a381abdceed3580b44a7 Mon Sep 17 00:00:00 2001
From: Drew Jaynes <drewapicture@git.wordpress.org>
Date: Thu, 17 Sep 2015 09:38:56 +0000
Subject: [PATCH] Docs: Add a reminder to the DocBlock description for
 `add_query_arg()` mentioning that the output is not escaped by default.

Props brentvr for the initial patch. (first props!)
See #33912. See #32246.


git-svn-id: https://develop.svn.wordpress.org/trunk@34264 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/functions.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index bad987c9f1..342dd0e157 100644
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -680,6 +680,10 @@ function _http_build_query( $data, $prefix = null, $sep = null, $key = '', $urle
  * value. Additional values provided are expected to be encoded appropriately
  * with urlencode() or rawurlencode().
  *
+ * Important: The return value of add_query_arg() is not escaped by default.
+ * Output should be late-escaped with esc_url() or similar to help prevent
+ * vulnerability to cross-site scripting (XSS) attacks.
+ *
  * @since 1.5.0
  *
  * @param string|array $param1 Either newkey or an associative_array.