From ebd39b123386bbd9699fcc76a779ee90c5cdc724 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Sat, 3 Apr 2010 23:38:38 +0000 Subject: [PATCH] Have get_search_query() escape by default, like it's echoing counterpart the_search_query(). see #12780 git-svn-id: https://develop.svn.wordpress.org/trunk@13978 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-admin/edit.php | 2 +- wp-admin/upload.php | 2 +- wp-includes/feed-atom-comments.php | 4 ++-- wp-includes/general-template.php | 23 ++++++++++++++++------- wp-includes/link-template.php | 2 +- 5 files changed, 21 insertions(+), 12 deletions(-) diff --git a/wp-admin/edit.php b/wp-admin/edit.php index 79442a6ec2..19c10806b4 100644 --- a/wp-admin/edit.php +++ b/wp-admin/edit.php @@ -167,7 +167,7 @@ else

' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', get_search_query() ); ?>

' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', get_search_query() ); ?>

' if ( is_singular() ) printf(ent2ncr(__('Comments on %s')), get_the_title_rss()); elseif ( is_search() ) - printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), esc_attr(get_search_query())); + printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), get_search_query() ); else printf(ent2ncr(__('Comments for %s')), get_bloginfo_rss( 'name' ) . get_wp_title_rss()); ?> @@ -31,7 +31,7 @@ echo '' - + diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index 29e38b63b1..57759d7ba7 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -156,7 +156,7 @@ function get_search_form($echo = true) { $form = ''; @@ -1642,7 +1642,7 @@ function feed_links_extra( $args = array() ) { $title = esc_attr(sprintf( $args['authortitle'], get_bloginfo('name'), $args['separator'], get_the_author_meta( 'display_name', $author_id ) )); $href = get_author_feed_link( $author_id ); } elseif ( is_search() ) { - $title = esc_attr(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query() )); + $title = esc_attr(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query( false ) )); $href = get_search_feed_link(); } @@ -1825,12 +1825,21 @@ function the_editor($content, $id = 'content', $prev_id = 'title', $media_button /** * Retrieve the contents of the search WordPress query variable. * - * @since 2.3.0 + * The search query string is passed through {@link esc_attr()} + * to ensure that it is safe for placing in an html attribute. * + * @since 2.3.0 + * @uses esc_attr() + * + * @param bool $escaped Whether the result is escaped. Default true. + * Only use when you are later escaping it. Do not use unescaped. * @return string */ -function get_search_query() { - return apply_filters( 'get_search_query', get_query_var( 's' ) ); +function get_search_query( $escaped = true ) { + $query = apply_filters( 'get_search_query', get_query_var( 's' ) ); + if ( $escaped ) + $query = esc_attr( $query ); + return $query; } /** @@ -1839,11 +1848,11 @@ function get_search_query() { * The search query string is passed through {@link esc_attr()} * to ensure that it is safe for placing in an html attribute. * - * @uses attr + * @uses esc_attr() * @since 2.1.0 */ function the_search_query() { - echo esc_attr( apply_filters( 'the_search_query', get_search_query() ) ); + echo esc_attr( apply_filters( 'the_search_query', get_search_query( false ) ) ); } /** diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index f4d9da273e..66b51ba2ec 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -686,7 +686,7 @@ function get_search_link( $query = '' ) { global $wp_rewrite; if ( empty($query) ) - $search = get_search_query(); + $search = get_search_query( false ); else $search = stripslashes($query);