Comments on: A Note To Theme Authors About get_search_query()

By: Darknet

Darknet — Sat, 24 Apr 2010 15:24:24 +0000

Nice article, someone just reported an XSS in my site – it was the same issue the theme was just spitting out the search query raw as %s on the page which made it easily exploited.

Switched it to the_search_query() and I’m safe again.

Thanks! Because the WP Codex information of these functions SUCKS.

By: Viper007Bond

Viper007Bond — Sun, 27 Dec 2009 20:50:04 +0000

At the time I wrote this post, attribute_escape() was not deprecated.

By: EW

EW — Sun, 27 Dec 2009 20:28:03 +0000

the_search_query() is for outputting directly within the div body, e.g. wrapped by tags in your example.

You would echo the results of esc_attr() or esc_attr_e() for elements attributes (such as: an input value=”something” attribute). See http://codex.wordpress.org/Function_Reference/attribute_escape for deprecation notice.

By: Le référencement local, les résultats personnalisés et une faille XSS | Pink Seo – Another SEO blog

Sun, 13 Dec 2009 21:29:51 +0000

[...] où la fonction get_search_query() était utilisé. En remplaçant par the_search_query() comme expliqué ici résoud le problème. Donc attention avant d’installer un thème sur votre blog, même si [...]

By: Ma revue de la semaine | 360 e-media

Ma revue de la semaine | 360 e-media — Sun, 06 Dec 2009 18:45:20 +0000

[...] à WordPress, si ces problèmatiques vous intéressent, voici quelques liens intéressants : ici, et ici. (et puis tant que j’y suis, un lien vers un support de cours sur la sécurisation [...]

By: Viper007Bond

Viper007Bond — Fri, 08 May 2009 13:24:05 +0000

Dougal Campbell on May 8th, 2009 at 5:51 AM wrote:

Viper: why did you pass through attribute_escape() instead of wp_specialchars()? Wouldn’t that be a more appropriate choice for text destined to be displayed in the page? Does the extra invalid UTF check give any extra protection for this case?

Probably, but they’re very similar (I believe both are just complex versions of htmlspecialchars()). I just stole the code I posted though out of the_search_query() which is mainly meant for the search form (i.e. filling in the search box with the term you searched for).

By: Dougal Campbell

Dougal Campbell — Fri, 08 May 2009 12:51:19 +0000

So when you’re saying it’s not sanitized, I’m guessing that you’re saying that it’s susceptible to SQL injection?

He’s just saying that the function returns the raw value, just as it was passed into WordPress, and you can’t trust it. Otherwise, if you just echo it back to the browser without sanitizing it yourself, you could be opening up an XSS hole (cross-site scripting). Somebody could make a link elsewhere with evil code in it which could steal an unsuspecting visitor’s cookies, under the right conditions (the user has cookies from your blog, and they get tricked into clicking the evil link on some other site).

Viper: why did you pass through attribute_escape() instead of wp_specialchars()? Wouldn’t that be a more appropriate choice for text destined to be displayed in the page? Does the extra invalid UTF check give any extra protection for this case?

By: Viper007Bond

Viper007Bond — Tue, 28 Apr 2009 02:04:08 +0000

Kevin on April 27th, 2009 at 6:25 AM wrote:

So when you’re saying it’s not sanitized, I’m guessing that you’re saying that it’s susceptible to SQL injection?

No, I mean if a user visits site.com/?s=