Checking either the "Respect word boundaries" or "Match whole word/phrase" boxes in the config section of the screen for creating or editing a new instance of a tamper plugin will silently switch the find-and-replace to using REGEXes.

Further, because $settings['find'] isn't escaped, any slash that a user puts into the "Text to find" field will lead to preg_replace() to try to wrongly interpret any characters after the slash as REGEX modifiers, leading to a total, silent failure of the import.

plugins/find_replace.inc:

function feeds_tamper_find_replace_validate(&$settings) {
  $settings['regex'] = FALSE;

if (!$settings['word_boundaries'] && !$settings['whole'] && $settings['case_sensitive']) {
    $settings['func'] = 'str_replace';
  }
  elseif (!$settings['word_boundaries'] && !$settings['whole'] && !$settings['case_sensitive']) {
    $settings['func'] = 'str_ireplace';
  }
  else {
    $settings['regex'] = TRUE;

    if ($settings['whole']) {
      $regex = '/^' . $settings['find'] . '$/';
    }
    else {
      $regex = '/\b' . $settings['find'] . '\b/';
    }
    if (!$settings['case_sensitive']) {
      $regex .= 'i';
    }
    $settings['regex_find'] = $regex;
  }
}

Comments

twistor’s picture

twistor commented
Title: Disclose Enabling of REGEX Find/Replace in Descriptions of "Respect word boundaries" and "Match whole word/phrase" » Use preg_quote() to escapte user inputed regex.
Version: 7.x-1.0-beta5 » 6.x-1.x-dev
Component: User interface » Plugins
Status: Active » Patch (to be ported)

How about we fix it rather than document it?

  • twistor committed 7212c1f on 7.x-1.x 
    Issue #2180051 by mzanon100: Use preg_quote() to escapte user inputed...

  • twistor committed ed8cf14 on 6.x-1.x 
    Issue #2180051 by mzanon100: Fixed Use preg_quote() to escapte user...
twistor’s picture

twistor commented
Version: 6.x-1.x-dev » 7.x-1.x-dev
Status: Patch (to be ported) » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.