Infinite Scroll Security & Query Sanitization
Starting with Neve v4.2.3, the theme implements a strict sanitization layer for infinite scroll query arguments to prevent query manipulation and ensure site security and performance.
Allowed Query Parameters
When using infinite scroll, only the following WP_Query arguments are permitted:
| Parameter | Description |
|---|---|
category_name | Filter posts by category slug |
tag | Filter posts by tag slug |
s | Search term |
order | Sort direction: ASC or DESC |
orderby | Sort field: date, title, author, modified, comment_count |
author | Filter by author ID |
author_name | Filter by author login name |
year | Filter by year |
monthnum | Filter by month number |
day | Filter by day of the month |
post_type | Post type (must be a publicly queryable post type) |
Restricted Parameters
For security reasons, the following parameters (among others) are explicitly stripped from public infinite scroll requests:
meta_query,meta_key,meta_valuetax_querypost__in,post__not_infields
Any argument not in the allowlist above is removed before the query is executed.
Customizing the Query
If you need to filter or extend the infinite scroll query beyond the allowed parameters, use the standard WordPress pre_get_posts action hook on the server side instead of passing custom arguments through the client-side request:
add_action( 'pre_get_posts', function( $query ) {
if ( $query->is_main_query() && ! is_admin() ) {
// Your custom query modifications here
$query->set( 'meta_key', 'featured' );
$query->set( 'meta_value', '1' );
}
} );This approach keeps query logic server-side where it cannot be manipulated by end users, and works correctly with Neve's infinite scroll implementation.