Backslash at the end of searchword breaks custom search form

Accidentally, I discovered that whenever there is a backslash at the end of a search, the page after clicking submit will return a broken search form.

In my case, the submit button turned into a text area.

Read More

Using Google Chrome’s “inspect element” I saw that my search form turned into this:

<form method="get" action="">
        <input type="hidden" name="type" value="books">
        <input type="text" name="search" value="">        <input type="&gt;
    &lt;/form&gt;
&lt;/div&gt;&lt;/div&gt;&lt;/div&gt;&lt;div id=" sidebar"="" class="sidebar widget-area"></form>

The following code is my form. I am guessing that I need to sanitize/escape the value from the input type text? But why isn’t esc_attr() working?

<form action="" method="get">
<input type="text" name="search" value="<?php echo esc_attr(stripslashes($_GET['search'])); ?>">
<input type="submit" value="Search">
<input type="checkbox" name="title">
</form>

P.S. I am using this custom search form to search custom fields and display the resulting custom post types using Pods Plugin. It doesn’t appear that this is a Pods plugin issue though.

https://github.com/pods-framework/pods/issues/1620

Also, this doesn’t appear to be a conflict from another theme or plugin.

Related posts

Leave a Reply

2 comments

  1. I’ve made some test, I’m guessing that your question was missunderstood, this code should work:

    <form action="" method="get">
    <input type="text" name="search" value="<?php echo urldecode($_GET['search']); ?>">
    <input type="submit" value="Search">
    <input type="checkbox" name="title">
    </form>
    

    You can check the php urldecode function for extra info.

    Decoding an url is the oposite of encoding it, when a special character is submited it needs to be encoded, when you want to display it you’ll have to decode it.

    EDIT:
    After the form is submitted, when its values are processed, then you have to use esc_attr(stripslashes($_GET[‘search’])) so that the value becomes encoded and sql-injections and other format issues are avoided, again this has to happen in the php file where the form is processed, usually after an if ($_GET) statement.