Skip to content

Add backslash coverage to wp_options LIKE escaping tests #468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cbravobernal merged 1 commit into from
Jun 12, 2026
+51 −0
Merged

Add backslash coverage to wp_options LIKE escaping tests #468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions tests/php/includes/functions/test-acf-option-meta-like-escaping.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,32 @@ public function test_underscore_prefix_is_escaped() {
);
}

/**
* A prefix containing a backslash must be escaped.
*/
public function test_backslash_prefix_is_escaped() {
global $wpdb;

// The prefix is the three characters a \ b.
acf_get_option_meta( 'a\\b' );

$good = $this->expected_like_fragment( 'a\\b_' );
$this->assertStringContainsString(
$good,
$this->captured_sql,
'A backslash in the prefix should be escaped via esc_like().'
);

// The previous str_replace() approach escaped only `_`, leaving the
// backslash unescaped. That exact fragment must not appear.
$bad = $wpdb->prepare( '%s', str_replace( '_', '\_', 'a\\b_%' ) );
$this->assertStringNotContainsString(
$bad,
$this->captured_sql,
'The pattern with an unescaped backslash must not be generated.'
);
}

/**
* A benign prefix still produces the expected (unchanged) pattern.
*/
Expand Down
25 changes: 25 additions & 0 deletions tests/php/includes/test-like-escaping-parity.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,31 @@ public function test_upgrade_550_taxonomy_escapes_like() {
);
}

/**
* Ensures acf_upgrade_550_taxonomy() also escapes a backslash.
*/
public function test_upgrade_550_taxonomy_escapes_backslash() {
global $wpdb;

// The taxonomy is the three characters a \ b.
acf_upgrade_550_taxonomy( 'a\\b' );

$query = $this->last_query();
$this->assertNotEmpty( $query, 'The upgrade SELECT should have been captured.' );
$this->assertStringContainsString(
$this->expected_fragment( 'a\\b_' ),
$query,
'A backslash should be escaped via esc_like().'
);

$bad = $wpdb->prepare( '%s', str_replace( '_', '\_', 'a\\b_%' ) );
$this->assertStringNotContainsString(
$bad,
$query,
'The pattern with an unescaped backslash must not be generated.'
);
}

/**
* Ensures acf_form_taxonomy::delete_term() escapes the taxonomy and term
* in its legacy (no-termmeta) DELETE.
Expand Down
Loading