get_search_query() can be confusing as it doesn't sanitize
|Reported by:||Viper007Bond||Owned by:||ryan|
the_search_query() is the recommended way to display what a user searched for. But what if you need the_search_query()'s output for use in PHP, i.e. the value returned? get_search_query() seems like the correct function to use, but they differ in one very important way -- get_search_query() does not escape it's output at all.
It's an easy mistake as most get_ functions are identical to their echo'ing counterparts and most users don't realize the difference. This can easily result in a XSS attack.
I'm not sure what the solution to this is, but there should be an easier way to get a safe search query than having the user call esc_attr(), get_search_query(), etc.
Perhaps deprecated get_search_query() and introduce get_the_search_query or something.
Change History (9)
- Milestone changed from Unassigned to 3.0
- Priority changed from normal to high