Have get_search_query() escape by default, like it's echoing counterpart the_search_query(). see #12780

git-svn-id: http://svn.automattic.com/wordpress/trunk@13978 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/edit.php

@@ -167,7 +167,7 @@ else
 <?php screen_icon(); ?>
 <h2><?php echo esc_html( $title ); ?> <a href="<?php echo $post_new_file ?>" class="button add-new-h2"><?php echo esc_html_x('Add New', 'post'); ?></a> <?php
 if ( isset($_GET['s']) && $_GET['s'] )
-	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
+	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', get_search_query() ); ?>
 </h2>
 
 <?php

wp-admin/upload.php

@@ -168,7 +168,7 @@ require_once('admin-header.php');
 <?php screen_icon(); ?>
 <h2><?php echo esc_html( $title ); ?> <a href="media-new.php" class="button add-new-h2"><?php echo esc_html_x('Add New', 'file'); ?></a> <?php
 if ( isset($_GET['s']) && $_GET['s'] )
-	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
+	printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', get_search_query() ); ?>
 </h2>
 
 <?php

wp-includes/feed-atom-comments.php

@@ -18,7 +18,7 @@ echo '<?xml version="1.0" encoding="' . get_option('blog_charset') . '" ?' . '>'
 		if ( is_singular() )
 			printf(ent2ncr(__('Comments on %s')), get_the_title_rss());
 		elseif ( is_search() )
-			printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), esc_attr(get_search_query()));
+			printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), get_search_query() );
 		else
 			printf(ent2ncr(__('Comments for %s')), get_bloginfo_rss( 'name' ) . get_wp_title_rss());
 	?></title>
@@ -31,7 +31,7 @@ echo '<?xml version="1.0" encoding="' . get_option('blog_charset') . '" ?' . '>'
 	<link rel="self" type="application/atom+xml" href="<?php echo get_post_comments_feed_link('', 'atom'); ?>" />
 	<id><?php echo get_post_comments_feed_link('', 'atom'); ?></id>
 <?php } elseif(is_search()) { ?>
-	<link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" href="<?php echo home_url() . '?s=' . esc_attr(get_search_query()); ?>" />
+	<link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" href="<?php echo home_url() . '?s=' . get_search_query(); ?>" />
 	<link rel="self" type="application/atom+xml" href="<?php echo get_search_comments_feed_link('', 'atom'); ?>" />
 	<id><?php echo get_search_comments_feed_link('', 'atom'); ?></id>
 <?php } else { ?>

wp-includes/general-template.php

@@ -156,7 +156,7 @@ function get_search_form($echo = true) {
 
 	$form = '<form role="search" method="get" id="searchform" action="' . home_url() . '/" >
 	<div><label class="screen-reader-text" for="s">' . __('Search for:') . '</label>
-	<input type="text" value="' . esc_attr(apply_filters('the_search_query', get_search_query())) . '" name="s" id="s" />
+	<input type="text" value="' . get_search_query() . '" name="s" id="s" />
 	<input type="submit" id="searchsubmit" value="'. esc_attr__('Search') .'" />
 	</div>
 	</form>';
@@ -1642,7 +1642,7 @@ function feed_links_extra( $args = array() ) {
 		$title = esc_attr(sprintf( $args['authortitle'], get_bloginfo('name'), $args['separator'], get_the_author_meta( 'display_name', $author_id ) ));
 		$href = get_author_feed_link( $author_id );
 	} elseif ( is_search() ) {
-		$title = esc_attr(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query() ));
+		$title = esc_attr(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query( false ) ));
 		$href = get_search_feed_link();
 	}
 
@@ -1825,12 +1825,21 @@ function the_editor($content, $id = 'content', $prev_id = 'title', $media_button
 /**
  * Retrieve the contents of the search WordPress query variable.
  *
- * @since 2.3.0
+ * The search query string is passed through {@link esc_attr()}
+ * to ensure that it is safe for placing in an html attribute.
  *
+ * @since 2.3.0
+ * @uses esc_attr()
+ *
+ * @param bool $escaped Whether the result is escaped. Default true.
+ * 	Only use when you are later escaping it. Do not use unescaped.
  * @return string
  */
-function get_search_query() {
-	return apply_filters( 'get_search_query', get_query_var( 's' ) );
+function get_search_query( $escaped = true ) {
+	$query = apply_filters( 'get_search_query', get_query_var( 's' ) );
+	if ( $escaped )
+		$query = esc_attr( $query );
+	return $query;
 }
 
 /**
@@ -1839,11 +1848,11 @@ function get_search_query() {
  * The search query string is passed through {@link esc_attr()}
  * to ensure that it is safe for placing in an html attribute.
  *
- * @uses attr
+ * @uses esc_attr()
  * @since 2.1.0
  */
 function the_search_query() {
-	echo esc_attr( apply_filters( 'the_search_query', get_search_query() ) );
+	echo esc_attr( apply_filters( 'the_search_query', get_search_query( false ) ) );
 }
 
 /**

wp-includes/link-template.php

@@ -686,7 +686,7 @@ function get_search_link( $query = '' ) {
 	global $wp_rewrite;
 
 	if ( empty($query) )
-		$search = get_search_query();
+		$search = get_search_query( false );
 	else
 		$search = stripslashes($query);