Accidentally, I discovered that whenever there is a backslash at the end of a search, the page after clicking submit will return a broken search form.
In my case, the submit button turned into a text area.
Using Google Chrome’s “inspect element” I saw that my search form turned into this:
<form method="get" action="">
<input type="hidden" name="type" value="books">
<input type="text" name="search" value=""> <input type=">
</form>
</div></div></div><div id=" sidebar"="" class="sidebar widget-area"></form>
The following code is my form. I am guessing that I need to sanitize/escape the value from the input type text? But why isn’t esc_attr() working?
<form action="" method="get">
<input type="text" name="search" value="<?php echo esc_attr(stripslashes($_GET['search'])); ?>">
<input type="submit" value="Search">
<input type="checkbox" name="title">
</form>
P.S. I am using this custom search form to search custom fields and display the resulting custom post types using Pods Plugin. It doesn’t appear that this is a Pods plugin issue though.
https://github.com/pods-framework/pods/issues/1620
Also, this doesn’t appear to be a conflict from another theme or plugin.
I’ve made some test, I’m guessing that your question was missunderstood, this code should work:
You can check the php urldecode function for extra info.
Decoding an url is the oposite of encoding it, when a special character is submited it needs to be encoded, when you want to display it you’ll have to decode it.
EDIT:
After the form is submitted, when its values are processed, then you have to use esc_attr(stripslashes($_GET[‘search’])) so that the value becomes encoded and sql-injections and other format issues are avoided, again this has to happen in the php file where the form is processed, usually after an if ($_GET) statement.
I have tried dozens of sanitation and escaping. But in the end, only preg_replace worked against that annoying backslash.