From 1fdcbbfec3e1f206ad977b8b8fbc631e0f3b7064 Mon Sep 17 00:00:00 2001
From: Jb Audras <audrasjb@git.wordpress.org>
Date: Wed, 8 Mar 2023 22:17:53 +0000
Subject: [PATCH] Docs: Add security warning in `remove_query_arg()` docblock
 to make it consistent with `add_query_arg()`.

Props roytanck.
Fixes #57885.
See #56792.


git-svn-id: https://develop.svn.wordpress.org/trunk@55492 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/functions.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index 67089803bb..3183739378 100644
--- a/src/wp-includes/functions.php
+++ b/src/wp-includes/functions.php
@@ -1196,6 +1196,10 @@ function add_query_arg( ...$args ) {
 /**
  * Removes an item or items from a query string.
  *
+ * Important: The return value of remove_query_arg() is not escaped by default. Output should be
+ * late-escaped with esc_url() or similar to help prevent vulnerability to cross-site scripting
+ * (XSS) attacks.
+ *
  * @since 1.5.0
  *
  * @param string|string[] $key   Query key or keys to remove.