Merge pull request #90 from badasswp/fix/make-regex-opt-in-for-search-replace

badasswp · web-flow · commit 281aebe6fa14 · 2026-03-15T13:50:10.000+01:00
Fix: Make regex opt in for Search &amp; Replace
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 * Feat: Add Plugin options page.
 * Feat: Add Shortcut command (CMD + F).
 * Feat: Add custom hooks: `afterSearchReplace`, `excludedPostTypes`, `regexPattern`.
+* Fix: Make default search literal & regex opt-in.
 * Refactor: Use `replaceInput` in place of repeated instances of `text`.
 * Test: Add e2e tests for plugin codebase.
 * Tested up to WP 6.9.
diff --git a/readme.txt b/readme.txt
@@ -69,6 +69,7 @@ Want to add your personal touch? All of our documentation can be found [here](ht
 * Feat: Add Plugin options page.
 * Feat: Add Shortcut command (CMD + F).
 * Feat: Add custom hooks: `afterSearchReplace`, `excludedPostTypes`, `regexPattern`.
+* Fix: Make default search literal & regex opt-in.
 * Refactor: Use `replaceInput` in place of repeated instances of `text`.
 * Test: Add e2e tests for plugin codebase.
 * Tested up to WP 6.9.
diff --git a/src/core/app.tsx b/src/core/app.tsx
@@ -13,6 +13,8 @@ import {
 
 import { Shortcut } from './shortcut';
 import {
+	getPattern,
+	escapeRegex,
 	getAllowedBlocks,
 	getBlockEditorIframe,
 	ifIsCaseSensitiveBasedOnFilter,
@@ -169,13 +171,27 @@ const SearchReplaceForBlockEditor = (): JSX.Element => {
 		}
 
 		// Prepare raw string pattern.
-		const rawPattern = `(?<!<[^>]*)${ searchInput }(?<![^>]*<)`;
+		const rawPattern = getPattern(
+			isRegexExpression ? searchInput : escapeRegex( searchInput )
+		);
+
+		// Is Search case sensitive.
+		const isSearchCaseSensitive =
+			ifIsCaseSensitiveBasedOnFilter() || isCaseSensitive ? 'g' : 'gi';
+
+		// Define pattern.
+		let regexPattern: RegExp;
 
 		// Get Regex search pattern.
-		const regexPattern: RegExp = new RegExp(
-			rawPattern,
-			ifIsCaseSensitiveBasedOnFilter() || isCaseSensitive ? 'g' : 'gi'
-		);
+		try {
+			regexPattern = new RegExp( rawPattern, isSearchCaseSensitive );
+		} catch ( error ) {
+			// fallback to non-regex pattern.
+			regexPattern = new RegExp(
+				getPattern( escapeRegex( searchInput ) ),
+				isSearchCaseSensitive
+			);
+		}
 
 		/**
 		 * Filter the way we set the pattern, let users
diff --git a/src/core/filters.tsx b/src/core/filters.tsx
@@ -73,7 +73,7 @@ addFilter(
 				);
 
 				return {
-					newAttr: JSON.parse( tableString ),
+					newAttr: JSON.parse( tableString || '{}' ),
 					isChanged: tableString !== JSON.stringify( oldAttr ),
 				};
 
diff --git a/src/core/utils.tsx b/src/core/utils.tsx
@@ -397,3 +397,34 @@ export const isAllowedForPostType = (): boolean => {
 
 	return true;
 };
+
+/**
+ * Escape user input for safe
+ * literal RegExp usage.
+ *
+ * @since 1.10.0
+ *
+ * @param {string} value Raw user input.
+ * @return {string} Escaped input.
+ */
+export const escapeRegex = ( value: string ): string => {
+	if ( typeof value !== 'string' ) {
+		return '';
+	}
+
+	return value.replace( /[.*+?^${}()|[\]\\]/g, '\\$&' );
+};
+
+/**
+ * Get Search Pattern.
+ *
+ * This function returns a string pattern
+ * that targets only texts within valid HTML markup.
+ *
+ * @since 1.10.0
+ *
+ * @param {string} searchText Search Text.
+ * @return {string} Search Pattern.
+ */
+export const getPattern = ( searchText: string ): string =>
+	`(?<!<[^>]*)${ searchText }(?<![^>]*<)`;
diff --git a/tests/unit/js/utils.test.tsx b/tests/unit/js/utils.test.tsx
@@ -391,3 +391,37 @@ describe( 'getShortcutEvent', () => {
 		expect( shortcutEvent ).toBeInstanceOf( KeyboardEvent );
 	} );
 } );
+
+describe( 'escapeRegex', () => {
+	beforeEach( () => {
+		jest.resetModules();
+	} );
+
+	it( 'escapeRegex escapes regex metacharacters', () => {
+		const { escapeRegex } = require( '../../../src/core/utils' );
+
+		const escaped = escapeRegex( 'a.b+c*^$()[]{}|\\' );
+
+		expect( escaped ).toBe( 'a\\.b\\+c\\*\\^\\$\\(\\)\\[\\]\\{\\}\\|\\\\' );
+	} );
+
+	it( 'escapeRegex leaves plain text unchanged', () => {
+		const { escapeRegex } = require( '../../../src/core/utils' );
+
+		const escaped = escapeRegex( 'plain text' );
+
+		expect( escaped ).toBe( 'plain text' );
+	} );
+
+	it( 'escapeRegex returns empty string for non-string inputs', () => {
+		const { escapeRegex } = require( '../../../src/core/utils' );
+
+		expect( escapeRegex( 123 ) ).toBe( '' );
+	} );
+
+	it( 'escapeRegex returns empty string for empty input', () => {
+		const { escapeRegex } = require( '../../../src/core/utils' );
+
+		expect( escapeRegex( '' ) ).toBe( '' );
+	} );
+} );
