Docs: Add security warning in remove_query_arg() docblock to make it consistent with add_query_arg().

Props roytanck. Fixes #57885. See #56792. git-svn-id: https://develop.svn.wordpress.org/trunk@55492 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2023-03-08 22:17:53 +00:00
parent e4c3b032ae
commit 1fdcbbfec3
1 changed files with 4 additions and 0 deletions
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -1196,6 +1196,10 @@ function add_query_arg( ...$args ) {
 /**
 * Removes an item or items from a query string.
 *
+ * Important: The return value of remove_query_arg() is not escaped by default. Output should be
+ * late-escaped with esc_url() or similar to help prevent vulnerability to cross-site scripting
+ * (XSS) attacks.
+ *
 * @since 1.5.0
 *
 * @param string|string[] $key   Query key or keys to remove.