Commit 44deb16935 for wordpress.org
commit 44deb16935cca0c1dce25544abb26f0053733c91
Author: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Sat Jan 3 22:26:34 2026 +0000
Bundled Themes: Consistently escape `get_search_query()` in `search.php` templates.
Props sabernhardt, himshekhar07, petitphp, karmatosed, SergeyBiryukov.
Fixes #58127.
Built from https://develop.svn.wordpress.org/trunk@61427
git-svn-id: http://core.svn.wordpress.org/trunk@60739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
diff --git a/wp-content/themes/twentyeleven/search.php b/wp-content/themes/twentyeleven/search.php
index f7902d35f0..41c49413f1 100644
--- a/wp-content/themes/twentyeleven/search.php
+++ b/wp-content/themes/twentyeleven/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: %s: Search query. */
- printf( __( 'Search Results for: %s', 'twentyeleven' ), '<span>' . get_search_query() . '</span>' );
+ printf( __( 'Search Results for: %s', 'twentyeleven' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
?>
</h1>
</header>
diff --git a/wp-content/themes/twentyfifteen/search.php b/wp-content/themes/twentyfifteen/search.php
index 18355d351e..24fd313903 100644
--- a/wp-content/themes/twentyfifteen/search.php
+++ b/wp-content/themes/twentyfifteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: %s: Search query. */
- printf( __( 'Search Results for: %s', 'twentyfifteen' ), get_search_query() );
+ printf( __( 'Search Results for: %s', 'twentyfifteen' ), esc_html( get_search_query( false ) ) );
?>
</h1>
</header><!-- .page-header -->
diff --git a/wp-content/themes/twentyfourteen/search.php b/wp-content/themes/twentyfourteen/search.php
index 80dc4d1e22..08970c4ea2 100644
--- a/wp-content/themes/twentyfourteen/search.php
+++ b/wp-content/themes/twentyfourteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: %s: Search query. */
- printf( __( 'Search Results for: %s', 'twentyfourteen' ), get_search_query() );
+ printf( __( 'Search Results for: %s', 'twentyfourteen' ), esc_html( get_search_query( false ) ) );
?>
</h1>
</header><!-- .page-header -->
diff --git a/wp-content/themes/twentynineteen/search.php b/wp-content/themes/twentynineteen/search.php
index af9d26540c..9d24324a06 100644
--- a/wp-content/themes/twentynineteen/search.php
+++ b/wp-content/themes/twentynineteen/search.php
@@ -20,7 +20,7 @@ get_header();
<header class="page-header">
<h1 class="page-title">
<?php _e( 'Search results for: ', 'twentynineteen' ); ?>
- <span class="page-description"><?php echo get_search_query(); ?></span>
+ <span class="page-description"><?php echo esc_html( get_search_query( false ) ); ?></span>
</h1>
</header><!-- .page-header -->
diff --git a/wp-content/themes/twentyseventeen/search.php b/wp-content/themes/twentyseventeen/search.php
index 5bf77c009c..d7fa8e8ebe 100644
--- a/wp-content/themes/twentyseventeen/search.php
+++ b/wp-content/themes/twentyseventeen/search.php
@@ -19,7 +19,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: Search query. */
- printf( __( 'Search Results for: %s', 'twentyseventeen' ), '<span>' . get_search_query() . '</span>' );
+ printf( __( 'Search Results for: %s', 'twentyseventeen' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
?>
</h1>
<?php else : ?>
diff --git a/wp-content/themes/twentysixteen/search.php b/wp-content/themes/twentysixteen/search.php
index afc4a90623..999b057d78 100644
--- a/wp-content/themes/twentysixteen/search.php
+++ b/wp-content/themes/twentysixteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: %s: The search query. */
- printf( __( 'Search Results for: %s', 'twentysixteen' ), '<span>' . esc_html( get_search_query() ) . '</span>' );
+ printf( __( 'Search Results for: %s', 'twentysixteen' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
?>
</h1>
</header><!-- .page-header -->
diff --git a/wp-content/themes/twentyten/search.php b/wp-content/themes/twentyten/search.php
index 8e69824d11..aa398cd763 100644
--- a/wp-content/themes/twentyten/search.php
+++ b/wp-content/themes/twentyten/search.php
@@ -16,7 +16,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: %s: Search query. */
- printf( __( 'Search Results for: %s', 'twentyten' ), '<span>' . get_search_query() . '</span>' );
+ printf( __( 'Search Results for: %s', 'twentyten' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
?>
</h1>
<?php
diff --git a/wp-content/themes/twentythirteen/search.php b/wp-content/themes/twentythirteen/search.php
index a94d48a2c9..645e63572e 100644
--- a/wp-content/themes/twentythirteen/search.php
+++ b/wp-content/themes/twentythirteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: %s: Search query. */
- printf( __( 'Search Results for: %s', 'twentythirteen' ), get_search_query() );
+ printf( __( 'Search Results for: %s', 'twentythirteen' ), esc_html( get_search_query( false ) ) );
?>
</h1>
</header>
diff --git a/wp-content/themes/twentytwelve/search.php b/wp-content/themes/twentytwelve/search.php
index 99acfe4034..a00d2f0113 100644
--- a/wp-content/themes/twentytwelve/search.php
+++ b/wp-content/themes/twentytwelve/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
<h1 class="page-title">
<?php
/* translators: %s: Search query. */
- printf( __( 'Search Results for: %s', 'twentytwelve' ), '<span>' . get_search_query() . '</span>' );
+ printf( __( 'Search Results for: %s', 'twentytwelve' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
?>
</h1>
</header>
diff --git a/wp-content/themes/twentytwenty/index.php b/wp-content/themes/twentytwenty/index.php
index 9c7442c6e9..6403ffa6fa 100644
--- a/wp-content/themes/twentytwenty/index.php
+++ b/wp-content/themes/twentytwenty/index.php
@@ -31,9 +31,9 @@ get_header();
global $wp_query;
$archive_title = sprintf(
- '%1$s %2$s',
+ '%1$s “%2$s”',
'<span class="color-accent">' . __( 'Search:', 'twentytwenty' ) . '</span>',
- '“' . get_search_query() . '”'
+ esc_html( get_search_query( false ) )
);
if ( $wp_query->found_posts ) {
diff --git a/wp-content/themes/twentytwentyone/search.php b/wp-content/themes/twentytwentyone/search.php
index b39704303e..4a7d2d5911 100644
--- a/wp-content/themes/twentytwentyone/search.php
+++ b/wp-content/themes/twentytwentyone/search.php
@@ -19,7 +19,7 @@ if ( have_posts() ) {
printf(
/* translators: %s: Search term. */
esc_html__( 'Results for "%s"', 'twentytwentyone' ),
- '<span class="page-description search-term">' . esc_html( get_search_query() ) . '</span>'
+ '<span class="page-description search-term">' . esc_html( get_search_query( false ) ) . '</span>'
);
?>
</h1>
diff --git a/wp-content/themes/twentytwentyone/template-parts/content/content-none.php b/wp-content/themes/twentytwentyone/template-parts/content/content-none.php
index 7d34f47adc..e62b4c9fd5 100644
--- a/wp-content/themes/twentytwentyone/template-parts/content/content-none.php
+++ b/wp-content/themes/twentytwentyone/template-parts/content/content-none.php
@@ -20,7 +20,7 @@
printf(
/* translators: %s: Search term. */
esc_html__( 'Results for "%s"', 'twentytwentyone' ),
- '<span class="page-description search-term">' . esc_html( get_search_query() ) . '</span>'
+ '<span class="page-description search-term">' . esc_html( get_search_query( false ) ) . '</span>'
);
?>
</h1>
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 75a547a5ab..93c9702d5e 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
-$wp_version = '7.0-alpha-61426';
+$wp_version = '7.0-alpha-61427';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.