diff --git a/includes/core/class-member-directory.php b/includes/core/class-member-directory.php index 556b007c..c1e2668e 100644 --- a/includes/core/class-member-directory.php +++ b/includes/core/class-member-directory.php @@ -1531,7 +1531,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { if ( ! empty( $_POST['search'] ) ) { // complex using with change_meta_sql function - $search = trim( stripslashes( sanitize_text_field( $_POST['search'] ) ) ); + $search = trim( sanitize_text_field( wp_unslash( $_POST['search'] ) ) ); $meta_query = array( 'relation' => 'OR', @@ -1549,7 +1549,7 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { ), ); - $meta_query = apply_filters( 'um_member_directory_general_search_meta_query', $meta_query, stripslashes( sanitize_text_field( $_POST['search'] ) ) ); + $meta_query = apply_filters( 'um_member_directory_general_search_meta_query', $meta_query, $search ); $this->query_args['meta_query'][] = $meta_query; @@ -1574,14 +1574,15 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { function change_meta_sql( $sql, $queries, $type, $primary_table, $primary_id_column, $context ) { if ( ! empty( $_POST['search'] ) ) { global $wpdb; - $search = trim( stripslashes( sanitize_text_field( $_POST['search'] ) ) ); + + $search = trim( sanitize_text_field( wp_unslash( $_POST['search'] ) ) ); if ( ! empty( $search ) ) { $meta_value = '%' . $wpdb->esc_like( $search ) . '%'; $search_meta = $wpdb->prepare( '%s', $meta_value ); - + // str_replace( '/', '\/', wp_slash( $search_meta ) ) means that we add backslashes to special symbols + add backslash to slash(/) symbol for proper regular pattern. preg_match( - '/^(.*).meta_value LIKE ' . addslashes( $search_meta ) . '[^\)]/im', + '/^(.*).meta_value LIKE ' . str_replace( '/', '\/', wp_slash( $search_meta ) ) . '[^\)]/im', $sql['where'], $join_matches ); @@ -1616,8 +1617,9 @@ if ( ! class_exists( 'um\core\Member_Directory' ) ) { $search_where = preg_replace( '/ AND \((.*?)\)/im', "$1 OR", $search_where ); + // str_replace( '/', '\/', wp_slash( $search ) ) means that we add backslashes to special symbols + add backslash to slash(/) symbol for proper regular pattern. $sql['where'] = preg_replace( - '/(' . $meta_join_for_search . '.meta_value = \'' . esc_attr( $search ) . '\')/im', + '/(' . $meta_join_for_search . '.meta_value = \'' . str_replace( '/', '\/', wp_slash( $search ) ) . '\')/im', trim( $search_where ) . " $1", $sql['where'], 1