diff --git src/bp-core/bp-core-classes.php src/bp-core/bp-core-classes.php
index d79c92f..877e3ad 100644
|
|
class BP_User_Query { |
368 | 368 | // 'search_terms' searches user_login and user_nicename |
369 | 369 | // xprofile field matches happen in bp_xprofile_bp_user_query_search() |
370 | 370 | if ( false !== $search_terms ) { |
371 | | $search_terms = bp_esc_like( $search_terms ); |
| 371 | $search_terms = bp_esc_like( wp_kses_normalize_entities( $search_terms ) ); |
372 | 372 | |
373 | 373 | if ( $search_wildcard === 'left' ) { |
374 | 374 | $search_terms_nospace = '%' . $search_terms; |
diff --git src/bp-templates/bp-legacy/buddypress-functions.php src/bp-templates/bp-legacy/buddypress-functions.php
index e9c1acd..b119288 100644
|
|
function bp_legacy_theme_ajax_querystring( $query_string, $object ) { |
536 | 536 | |
537 | 537 | $object_search_text = bp_get_search_default_text( $object ); |
538 | 538 | if ( ! empty( $_POST['search_terms'] ) && $object_search_text != $_POST['search_terms'] && 'false' != $_POST['search_terms'] && 'undefined' != $_POST['search_terms'] ) |
539 | | $qs[] = 'search_terms=' . $_POST['search_terms']; |
| 539 | $qs[] = 'search_terms=' . urlencode( $_POST['search_terms'] ); |
540 | 540 | |
541 | 541 | // Now pass the querystring to override default values. |
542 | 542 | $query_string = empty( $qs ) ? '' : join( '&', (array) $qs ); |
diff --git src/bp-xprofile/bp-xprofile-functions.php src/bp-xprofile/bp-xprofile-functions.php
index 0387bd3..beffd5b 100644
|
|
function bp_xprofile_bp_user_query_search( $sql, BP_User_Query $query ) { |
685 | 685 | |
686 | 686 | $bp = buddypress(); |
687 | 687 | |
688 | | $search_terms_clean = bp_esc_like( $query->query_vars['search_terms'] ); |
| 688 | $search_terms_clean = bp_esc_like( wp_kses_normalize_entities( $query->query_vars['search_terms'] ) ); |
689 | 689 | |
690 | 690 | if ( $query->query_vars['search_wildcard'] === 'left' ) { |
691 | 691 | $search_terms_nospace = '%' . $search_terms_clean; |
diff --git tests/phpunit/testcases/core/class-bp-user-query.php tests/phpunit/testcases/core/class-bp-user-query.php
index 0c2eb97..46fda6c 100644
|
|
class BP_Tests_BP_User_Query_TestCases extends BP_UnitTestCase { |
201 | 201 | $this->assertEquals( $user_id, $found_user_id ); |
202 | 202 | } |
203 | 203 | |
| 204 | public function test_bp_user_query_search_with_ampersand_sign() { |
| 205 | |
| 206 | // LIKE special character: & |
| 207 | $user_id = $this->create_user(); |
| 208 | xprofile_set_field_data( 1, $user_id, "a&mpersand" ); |
| 209 | $q = new BP_User_Query( array( 'search_terms' => "a&m", ) ); |
| 210 | |
| 211 | $found_user_id = null; |
| 212 | if ( ! empty( $q->results ) ) { |
| 213 | $found_user = array_pop( $q->results ); |
| 214 | $found_user_id = $found_user->ID; |
| 215 | } |
| 216 | |
| 217 | $this->assertEquals( $user_id, $found_user_id ); |
| 218 | |
| 219 | } |
| 220 | |
204 | 221 | /** |
205 | 222 | * @group search_terms |
206 | 223 | */ |