id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
12780,get_search_query() can be confusing as it doesn't sanitize,Viper007Bond,ryan,"`the_search_query()` is the recommended way to display what a user searched for. But what if you need `the_search_query()`'s output for use in PHP, i.e. the value returned? `get_search_query()` seems like the correct function to use, but they differ in one very important way -- `get_search_query()` '''does not escape it's output at all'''.

It's an easy mistake as most `get_` functions are identical to their echo'ing counterparts and most users don't realize the difference. This can easily result in a XSS attack.

I'm not sure what the solution to this is, but there should be an easier way to get a safe search query than having the user call `esc_attr()`, `get_search_query()`, etc.

Perhaps deprecated `get_search_query()` and introduce `get_the_search_query` or something.",defect (bug),closed,high,3.0,Template,3.0,normal,fixed,,