Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Searchfrom value is double escaped #122

wants to merge 1 commit into from

6 participants


There is no need to esc_attr(get_search_query) since the default behavior of the function is already escaped.

/* See wp-includes/general-template.php, line 1827 */
function get_search_query( $escaped = true ) {
    $query = apply_filters( 'get_search_query', get_query_var( 's' ) );
    if ( $escaped )
        $query = esc_attr( $query );
    return $query;

I disagree. I believe it's best practice to escape as late as possible, so in this example, I don't have to think about whether get_search_query escapes the output or not, because I know I am and that's all that matters. I think there can never be too much escaping :)


+1 to keep it, as that educate developers too.


I strongly agree with @kovshenin. Not only does this reduce the stress required to figure out if the attribute escaping happens in core or not, but it also encourages proper practices in the community.

Voting to close this request.


In my opinion there should be the least ammount of coding should be done in the template.
Other solution could be: get_search_query($escaped = true); so you keep educating but not double running a ascape on a string.

And @philiparthurmoore a wordpress theme should be build on the wordpress core not teaching people how to proper use php.


In my opinion there should be the least ammount of coding

Shorter doesn't always mean better, besides get_search_query( $escaped = true ); is 5 bytes longer than the original esc_attr way, and doesn't really educate developers about how they should escape attributes in their code :)


I totally agree with @kovshenin on this and suggest that we close this as a duplicate of #52

@ianstewart ianstewart closed this

Votes and suggestion taken in, ticket closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Dec 13, 2012
  1. @raldenhoven
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  searchform.php
2  searchform.php
@@ -8,6 +8,6 @@
<form method="get" id="searchform" action="<?php echo esc_url( home_url( '/' ) ); ?>" role="search">
<label for="s" class="assistive-text"><?php _e( 'Search', '_s' ); ?></label>
- <input type="text" class="field" name="s" value="<?php echo esc_attr( get_search_query() ); ?>" id="s" placeholder="<?php esc_attr_e( 'Search &hellip;', '_s' ); ?>" />
+ <input type="text" class="field" name="s" value="<?php echo get_search_query(); ?>" id="s" placeholder="<?php esc_attr_e( 'Search &hellip;', '_s' ); ?>" />
<input type="submit" class="submit" name="submit" id="searchsubmit" value="<?php esc_attr_e( 'Search', '_s' ); ?>" />
Something went wrong with that request. Please try again.