Skip to:
Content

BuddyPress.org

Ticket #5694: 5694.04.patch

File 5694.04.patch, 2.9 KB (added by imath, 10 years ago)
  • src/bp-core/bp-core-classes.php

    diff --git src/bp-core/bp-core-classes.php src/bp-core/bp-core-classes.php
    index d79c92f..877e3ad 100644
    class BP_User_Query { 
    368368                // 'search_terms' searches user_login and user_nicename
    369369                // xprofile field matches happen in bp_xprofile_bp_user_query_search()
    370370                if ( false !== $search_terms ) {
    371                         $search_terms = bp_esc_like( $search_terms );
     371                        $search_terms = bp_esc_like( wp_kses_normalize_entities( $search_terms ) );
    372372
    373373                        if ( $search_wildcard === 'left' ) {
    374374                                $search_terms_nospace = '%' . $search_terms;
  • src/bp-templates/bp-legacy/buddypress-functions.php

    diff --git src/bp-templates/bp-legacy/buddypress-functions.php src/bp-templates/bp-legacy/buddypress-functions.php
    index e9c1acd..b119288 100644
    function bp_legacy_theme_ajax_querystring( $query_string, $object ) { 
    536536
    537537        $object_search_text = bp_get_search_default_text( $object );
    538538        if ( ! empty( $_POST['search_terms'] ) && $object_search_text != $_POST['search_terms'] && 'false' != $_POST['search_terms'] && 'undefined' != $_POST['search_terms'] )
    539                 $qs[] = 'search_terms=' . $_POST['search_terms'];
     539                $qs[] = 'search_terms=' . urlencode( $_POST['search_terms'] );
    540540
    541541        // Now pass the querystring to override default values.
    542542        $query_string = empty( $qs ) ? '' : join( '&', (array) $qs );
  • src/bp-xprofile/bp-xprofile-functions.php

    diff --git src/bp-xprofile/bp-xprofile-functions.php src/bp-xprofile/bp-xprofile-functions.php
    index 0387bd3..beffd5b 100644
    function bp_xprofile_bp_user_query_search( $sql, BP_User_Query $query ) { 
    685685
    686686        $bp = buddypress();
    687687
    688         $search_terms_clean = bp_esc_like( $query->query_vars['search_terms'] );
     688        $search_terms_clean = bp_esc_like( wp_kses_normalize_entities( $query->query_vars['search_terms'] ) );
    689689
    690690        if ( $query->query_vars['search_wildcard'] === 'left' ) {
    691691                $search_terms_nospace = '%' . $search_terms_clean;
  • tests/phpunit/testcases/core/class-bp-user-query.php

    diff --git tests/phpunit/testcases/core/class-bp-user-query.php tests/phpunit/testcases/core/class-bp-user-query.php
    index 0c2eb97..46fda6c 100644
    class BP_Tests_BP_User_Query_TestCases extends BP_UnitTestCase { 
    201201                $this->assertEquals( $user_id, $found_user_id );
    202202        }
    203203
     204        public function test_bp_user_query_search_with_ampersand_sign() {
     205
     206                // LIKE special character: &
     207                $user_id = $this->create_user();
     208                xprofile_set_field_data( 1, $user_id, "a&mpersand" );
     209                $q = new BP_User_Query( array( 'search_terms' => "a&m", ) );
     210
     211                $found_user_id = null;
     212                if ( ! empty( $q->results ) ) {
     213                        $found_user = array_pop( $q->results );
     214                        $found_user_id = $found_user->ID;
     215                }
     216
     217                $this->assertEquals( $user_id, $found_user_id );
     218
     219        }
     220
    204221        /**
    205222         * @group search_terms
    206223         */