Make WordPress Core

Ticket #57885: 57885.diff

File 57885.diff, 589 bytes (added by roytanck, 12 months ago)

Adds an XSS warning to the doc block for remove_query_arg .

  • src/wp-includes/functions.php

     
    11961196/**
    11971197 * Removes an item or items from a query string.
    11981198 *
     1199 * Important: The return value of remove_query_arg() is not escaped by default. Output should be
     1200 * late-escaped with esc_url() or similar to help prevent vulnerability to cross-site scripting
     1201 * (XSS) attacks.
     1202 *
    11991203 * @since 1.5.0
    12001204 *
    12011205 * @param string|string[] $key   Query key or keys to remove.