WordPress.org
Get WordPress

Make WordPress Core

Ticket #12780: get_search_query.diff

File get_search_query.diff, 5.4 KB (added by nacin, 15 years ago)

Making sure we're at least back compat with filters, and never passing already-escaped values to a filter. Also modify instances in core.

  • wp-admin/edit.php

     
    167167<?php screen_icon(); ?>
    168168<h2><?php echo esc_html( $title ); ?> <a href="<?php echo $post_new_file ?>" class="button add-new-h2"><?php echo esc_html_x('Add New', 'post'); ?></a> <?php
    169169if ( isset($_GET['s']) && $_GET['s'] )
    170         printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
     170        printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', get_search_query() ); ?>
    171171</h2>
    172172
    173173<?php

  • wp-admin/upload.php

     
    168168<?php screen_icon(); ?>
    169169<h2><?php echo esc_html( $title ); ?> <a href="media-new.php" class="button add-new-h2"><?php echo esc_html_x('Add New', 'file'); ?></a> <?php
    170170if ( isset($_GET['s']) && $_GET['s'] )
    171         printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
     171        printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', get_search_query() ); ?>
    172172</h2>
    173173
    174174<?php

  • wp-includes/feed-atom-comments.php

     
    1818                if ( is_singular() )
    1919                        printf(ent2ncr(__('Comments on %s')), get_the_title_rss());
    2020                elseif ( is_search() )
    21                         printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), esc_attr(get_search_query()));
     21                        printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), get_search_query() );
    2222                else
    2323                        printf(ent2ncr(__('Comments for %s')), get_bloginfo_rss( 'name' ) . get_wp_title_rss());
    2424        ?></title>
     
    3131        <link rel="self" type="application/atom+xml" href="<?php echo get_post_comments_feed_link('', 'atom'); ?>" />
    3232        <id><?php echo get_post_comments_feed_link('', 'atom'); ?></id>
    3333<?php } elseif(is_search()) { ?>
    34         <link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" href="<?php echo home_url() . '?s=' . esc_attr(get_search_query()); ?>" />
     34        <link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" href="<?php echo home_url() . '?s=' . get_search_query(); ?>" />
    3535        <link rel="self" type="application/atom+xml" href="<?php echo get_search_comments_feed_link('', 'atom'); ?>" />
    3636        <id><?php echo get_search_comments_feed_link('', 'atom'); ?></id>
    3737<?php } else { ?>

  • wp-includes/general-template.php

     
    156156
    157157        $form = '<form role="search" method="get" id="searchform" action="' . home_url() . '/" >
    158158        <div><label class="screen-reader-text" for="s">' . __('Search for:') . '</label>
    159         <input type="text" value="' . esc_attr(apply_filters('the_search_query', get_search_query())) . '" name="s" id="s" />
     159        <input type="text" value="' . get_search_query() . '" name="s" id="s" />
    160160        <input type="submit" id="searchsubmit" value="'. esc_attr__('Search') .'" />
    161161        </div>
    162162        </form>';
     
    16421642                $title = esc_attr(sprintf( $args['authortitle'], get_bloginfo('name'), $args['separator'], get_the_author_meta( 'display_name', $author_id ) ));
    16431643                $href = get_author_feed_link( $author_id );
    16441644        } elseif ( is_search() ) {
    1645                 $title = esc_attr(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query() ));
     1645                $title = esc_attr(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query( false ) ));
    16461646                $href = get_search_feed_link();
    16471647        }
    16481648
     
    18251825/**
    18261826 * Retrieve the contents of the search WordPress query variable.
    18271827 *
     1828 * The search query string is passed through {@link esc_attr()}
     1829 * to ensure that it is safe for placing in an html attribute.
     1830 *
    18281831 * @since 2.3.0
     1832 * @uses esc_attr()
    18291833 *
     1834 * @param bool $escaped Whether the result is escaped. Default true.
     1835 *      Only use when you are later escaping it. Do not use unescaped.
    18301836 * @return string
    18311837 */
    1832 function get_search_query() {
    1833         return apply_filters( 'get_search_query', get_query_var( 's' ) );
     1838function get_search_query( $escaped = true ) {
     1839        $query = apply_filters( 'get_search_query', get_query_var( 's' ) );
     1840        if ( $escaped )
     1841                $query = esc_attr( $query );
     1842        return $query;
    18341843}
    18351844
    18361845/**
     
    18391848 * The search query string is passed through {@link esc_attr()}
    18401849 * to ensure that it is safe for placing in an html attribute.
    18411850 *
    1842  * @uses attr
     1851 * @uses esc_attr()
    18431852 * @since 2.1.0
    18441853 */
    18451854function the_search_query() {
    1846         echo esc_attr( apply_filters( 'the_search_query', get_search_query() ) );
     1855        echo esc_attr( apply_filters( 'the_search_query', get_search_query( false ) ) );
    18471856}
    18481857
    18491858/**

  • wp-includes/link-template.php

     
    686686        global $wp_rewrite;
    687687
    688688        if ( empty($query) )
    689                 $search = get_search_query();
     689                $search = get_search_query( false );
    690690        else
    691691                $search = stripslashes($query);
    692692