Make WordPress Core


Ignore:
Timestamp:
09/17/2015 09:38:56 AM (9 years ago)
Author:
DrewAPicture
Message:

Docs: Add a reminder to the DocBlock description for add_query_arg() mentioning that the output is not escaped by default.

Props brentvr for the initial patch. (first props!)
See #33912. See #32246.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/functions.php

    r34257 r34264  
    680680 * value. Additional values provided are expected to be encoded appropriately
    681681 * with urlencode() or rawurlencode().
     682 *
     683 * Important: The return value of add_query_arg() is not escaped by default.
     684 * Output should be late-escaped with esc_url() or similar to help prevent
     685 * vulnerability to cross-site scripting (XSS) attacks.
    682686 *
    683687 * @since 1.5.0
Note: See TracChangeset for help on using the changeset viewer.