From 44deb16935cca0c1dce25544abb26f0053733c91 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Sat, 3 Jan 2026 22:26:34 +0000
Subject: [PATCH] Bundled Themes: Consistently escape `get_search_query()` in
 `search.php` templates.

Props sabernhardt, himshekhar07, petitphp, karmatosed, SergeyBiryukov.
Fixes #58127.
Built from https://develop.svn.wordpress.org/trunk@61427


git-svn-id: http://core.svn.wordpress.org/trunk@60739 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-content/themes/twentyeleven/search.php                     | 2 +-
 wp-content/themes/twentyfifteen/search.php                    | 2 +-
 wp-content/themes/twentyfourteen/search.php                   | 2 +-
 wp-content/themes/twentynineteen/search.php                   | 2 +-
 wp-content/themes/twentyseventeen/search.php                  | 2 +-
 wp-content/themes/twentysixteen/search.php                    | 2 +-
 wp-content/themes/twentyten/search.php                        | 2 +-
 wp-content/themes/twentythirteen/search.php                   | 2 +-
 wp-content/themes/twentytwelve/search.php                     | 2 +-
 wp-content/themes/twentytwenty/index.php                      | 4 ++--
 wp-content/themes/twentytwentyone/search.php                  | 2 +-
 .../twentytwentyone/template-parts/content/content-none.php   | 2 +-
 wp-includes/version.php                                       | 2 +-
 13 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/wp-content/themes/twentyeleven/search.php b/wp-content/themes/twentyeleven/search.php
index f7902d35f0..41c49413f1 100644
--- a/wp-content/themes/twentyeleven/search.php
+++ b/wp-content/themes/twentyeleven/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
 					<h1 class="page-title">
 					<?php
 					/* translators: %s: Search query. */
-					printf( __( 'Search Results for: %s', 'twentyeleven' ), '<span>' . get_search_query() . '</span>' );
+					printf( __( 'Search Results for: %s', 'twentyeleven' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
 					?>
 					</h1>
 				</header>
diff --git a/wp-content/themes/twentyfifteen/search.php b/wp-content/themes/twentyfifteen/search.php
index 18355d351e..24fd313903 100644
--- a/wp-content/themes/twentyfifteen/search.php
+++ b/wp-content/themes/twentyfifteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
 				<h1 class="page-title">
 				<?php
 				/* translators: %s: Search query. */
-				printf( __( 'Search Results for: %s', 'twentyfifteen' ), get_search_query() );
+				printf( __( 'Search Results for: %s', 'twentyfifteen' ), esc_html( get_search_query( false ) ) );
 				?>
 				</h1>
 			</header><!-- .page-header -->
diff --git a/wp-content/themes/twentyfourteen/search.php b/wp-content/themes/twentyfourteen/search.php
index 80dc4d1e22..08970c4ea2 100644
--- a/wp-content/themes/twentyfourteen/search.php
+++ b/wp-content/themes/twentyfourteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
 				<h1 class="page-title">
 				<?php
 				/* translators: %s: Search query. */
-				printf( __( 'Search Results for: %s', 'twentyfourteen' ), get_search_query() );
+				printf( __( 'Search Results for: %s', 'twentyfourteen' ), esc_html( get_search_query( false ) ) );
 				?>
 				</h1>
 			</header><!-- .page-header -->
diff --git a/wp-content/themes/twentynineteen/search.php b/wp-content/themes/twentynineteen/search.php
index af9d26540c..9d24324a06 100644
--- a/wp-content/themes/twentynineteen/search.php
+++ b/wp-content/themes/twentynineteen/search.php
@@ -20,7 +20,7 @@ get_header();
 			<header class="page-header">
 				<h1 class="page-title">
 					<?php _e( 'Search results for: ', 'twentynineteen' ); ?>
-					<span class="page-description"><?php echo get_search_query(); ?></span>
+					<span class="page-description"><?php echo esc_html( get_search_query( false ) ); ?></span>
 				</h1>
 			</header><!-- .page-header -->
 
diff --git a/wp-content/themes/twentyseventeen/search.php b/wp-content/themes/twentyseventeen/search.php
index 5bf77c009c..d7fa8e8ebe 100644
--- a/wp-content/themes/twentyseventeen/search.php
+++ b/wp-content/themes/twentyseventeen/search.php
@@ -19,7 +19,7 @@ get_header(); ?>
 			<h1 class="page-title">
 			<?php
 			/* translators: Search query. */
-			printf( __( 'Search Results for: %s', 'twentyseventeen' ), '<span>' . get_search_query() . '</span>' );
+			printf( __( 'Search Results for: %s', 'twentyseventeen' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
 			?>
 			</h1>
 		<?php else : ?>
diff --git a/wp-content/themes/twentysixteen/search.php b/wp-content/themes/twentysixteen/search.php
index afc4a90623..999b057d78 100644
--- a/wp-content/themes/twentysixteen/search.php
+++ b/wp-content/themes/twentysixteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
 				<h1 class="page-title">
 				<?php
 				/* translators: %s: The search query. */
-				printf( __( 'Search Results for: %s', 'twentysixteen' ), '<span>' . esc_html( get_search_query() ) . '</span>' );
+				printf( __( 'Search Results for: %s', 'twentysixteen' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
 				?>
 				</h1>
 			</header><!-- .page-header -->
diff --git a/wp-content/themes/twentyten/search.php b/wp-content/themes/twentyten/search.php
index 8e69824d11..aa398cd763 100644
--- a/wp-content/themes/twentyten/search.php
+++ b/wp-content/themes/twentyten/search.php
@@ -16,7 +16,7 @@ get_header(); ?>
 				<h1 class="page-title">
 				<?php
 				/* translators: %s: Search query. */
-				printf( __( 'Search Results for: %s', 'twentyten' ), '<span>' . get_search_query() . '</span>' );
+				printf( __( 'Search Results for: %s', 'twentyten' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
 				?>
 				</h1>
 				<?php
diff --git a/wp-content/themes/twentythirteen/search.php b/wp-content/themes/twentythirteen/search.php
index a94d48a2c9..645e63572e 100644
--- a/wp-content/themes/twentythirteen/search.php
+++ b/wp-content/themes/twentythirteen/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
 				<h1 class="page-title">
 				<?php
 				/* translators: %s: Search query. */
-				printf( __( 'Search Results for: %s', 'twentythirteen' ), get_search_query() );
+				printf( __( 'Search Results for: %s', 'twentythirteen' ), esc_html( get_search_query( false ) ) );
 				?>
 				</h1>
 			</header>
diff --git a/wp-content/themes/twentytwelve/search.php b/wp-content/themes/twentytwelve/search.php
index 99acfe4034..a00d2f0113 100644
--- a/wp-content/themes/twentytwelve/search.php
+++ b/wp-content/themes/twentytwelve/search.php
@@ -18,7 +18,7 @@ get_header(); ?>
 				<h1 class="page-title">
 				<?php
 				/* translators: %s: Search query. */
-				printf( __( 'Search Results for: %s', 'twentytwelve' ), '<span>' . get_search_query() . '</span>' );
+				printf( __( 'Search Results for: %s', 'twentytwelve' ), '<span>' . esc_html( get_search_query( false ) ) . '</span>' );
 				?>
 				</h1>
 			</header>
diff --git a/wp-content/themes/twentytwenty/index.php b/wp-content/themes/twentytwenty/index.php
index 9c7442c6e9..6403ffa6fa 100644
--- a/wp-content/themes/twentytwenty/index.php
+++ b/wp-content/themes/twentytwenty/index.php
@@ -31,9 +31,9 @@ get_header();
 		global $wp_query;
 
 		$archive_title = sprintf(
-			'%1$s %2$s',
+			'%1$s &ldquo;%2$s&rdquo;',
 			'<span class="color-accent">' . __( 'Search:', 'twentytwenty' ) . '</span>',
-			'&ldquo;' . get_search_query() . '&rdquo;'
+			esc_html( get_search_query( false ) )
 		);
 
 		if ( $wp_query->found_posts ) {
diff --git a/wp-content/themes/twentytwentyone/search.php b/wp-content/themes/twentytwentyone/search.php
index b39704303e..4a7d2d5911 100644
--- a/wp-content/themes/twentytwentyone/search.php
+++ b/wp-content/themes/twentytwentyone/search.php
@@ -19,7 +19,7 @@ if ( have_posts() ) {
 			printf(
 				/* translators: %s: Search term. */
 				esc_html__( 'Results for "%s"', 'twentytwentyone' ),
-				'<span class="page-description search-term">' . esc_html( get_search_query() ) . '</span>'
+				'<span class="page-description search-term">' . esc_html( get_search_query( false ) ) . '</span>'
 			);
 			?>
 		</h1>
diff --git a/wp-content/themes/twentytwentyone/template-parts/content/content-none.php b/wp-content/themes/twentytwentyone/template-parts/content/content-none.php
index 7d34f47adc..e62b4c9fd5 100644
--- a/wp-content/themes/twentytwentyone/template-parts/content/content-none.php
+++ b/wp-content/themes/twentytwentyone/template-parts/content/content-none.php
@@ -20,7 +20,7 @@
 				printf(
 					/* translators: %s: Search term. */
 					esc_html__( 'Results for "%s"', 'twentytwentyone' ),
-					'<span class="page-description search-term">' . esc_html( get_search_query() ) . '</span>'
+					'<span class="page-description search-term">' . esc_html( get_search_query( false ) ) . '</span>'
 				);
 				?>
 			</h1>
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 75a547a5ab..93c9702d5e 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.0-alpha-61426';
+$wp_version = '7.0-alpha-61427';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.