Monthly Archives: April 2009

A Note To Theme Authors About get_search_query()

UPDATE: As of WordPress 3.0, get_search_query() sanitizes its output and can be used directly.

Theme authors: the WordPress function get_search_query() is NOT sanitized! Don’t make the same mistake that I have in the past.

For example, this code taken from the LA-School blue theme is not safe:

<p><?php printf(__('You have searched the <a href="%1$s/">%2$s</a> blog archives for <strong>&#8216;%3$s&#8217;</strong>.', 'laschool'), get_bloginfo('url'), get_bloginfo('name'), get_search_query()); ?></p>

With that theme, that text will only be shown if there are search results meaning the code can’t easily be exploited in this particular theme, but it’s still unsafe. The proper way would be wrap the function in attribute_escape() like this:

<p><?php printf( __('You have searched the <a href="%1$s/">%2$s</a> blog archives for <strong>&#8216;%3$s&#8217;</strong>.', 'laschool'), get_bloginfo('url'), get_bloginfo('name'), attribute_escape( get_search_query() ) ); ?></p>

Of course if you don’t need the search query returned and just want to out it directly, then just use the_search_query() which will echo a totally safe version.

I’m Turning Off Weekly Twitter Reports

Since I don’t post enough on this blog, I’m going to turn my weekly Twitter reports. If I blogged at least once a week, it wouldn’t be a problem, but I often don’t so it was spamming my blog.

If you actually care about what I have to say on Twitter, just follow me. Note I do try to keep the random boring personal crap to a minimum, so don’t be scared to follow me. Infact I find I’m often Tweeting something interesting I find rather than writing a short blog post about it.

Twitter Weekly Updates For 2009-04-06

  • Starting to get burned out due to an excess of work. More normal sleep schedule would probably help (up until 7am every night of the week). #
  • The wonderful piece of software that is iTunes (that was sarcasm) managed to corrupt my entire library today. Awesome. #
  • RT @rmccue: Poll for new ops on #wordpress IRC channel: http://is.gd/pNYB (I recommend: Viper007Bond, sivel, and me (rmccue) :) ) #
  • Tomorrow is my least favorite day of the year. #
  • Woo hoo, GMail themes have finally come to Google Apps hosted e-mail! #
  • I must admit, I do enjoy the obvious jokes today. It’s the ones that attempt to actually fool people that I dislike. #
  • YouTube implements Australian-friendly interface: http://is.gd/q2ns http://is.gd/pZix (via @mark_forrester) #
  • Just watched Stranger Than Fiction for the first time. What a great movie. Will Ferrel was quite good. Good to see him in that type of role. #
  • Woah, never realized WP-Super-Cache’s settings page had collapsible items. In my defense, it doesn’t say they are anywhere. @donncha #
  • Oh, and it doesn’t save my expand/collapse preferences. Seems a bit silly of a feature then. :( @donncha #
  • No matter how many times I listen to Minutes to Midnight by Linkin Park, it never gets old. #
  • Quick and easy test to see if your Windows PC has Conficker or not: http://is.gd/qdWf #
  • RT @mattcutts: You really should try this Greasemonkey script for Twitter: http://bit.ly/RkVn It fixes lots of Twitter annoyances. #
  • I want to go to bed, but I have to get some more work done. /sigh #
  • Never seen the purpose of WP SEO plugins. I use WP out of the box (just pretty URLs enabled) and my blogs have a PR of 7 and 5. *shrug* #
  • RT @donncha: The 3 WP developer links I twittered last week: http://url.ie/1eur #
  • Woot, time to watch some Nitro Circus. #