Selector Arrays automatically stripping out characters from values

[thetuningspoon]

Short description of the issue

When I try to search for a page with a title that contains a '#' character using a selector array, the matching page is not found. It appears that selector arrays are automatically applying some kind of sanitizer to the values (my brief review of the code indicates that selectorValue is the sanitizer being applied)

Expected behavior

I mainly use selector arrays when I want to avoid having to use a sanitizer that might strip out characters that I need to match on but could be unsafe in the context of a selector string. I expect selector arrays to not apply any sanitizer to my values unless I specify one explicitly.

Actual behavior

I believe Sanitizer::selectorValue() is being applied automatically. When I specify 'text' as my sanitizer (third item in each array) then the page matches correctly.

Steps to reproduce the issue

1. Create a page with the '#' character somewhere in the title
2. Do a $pages->get() with selector array that searches for the title from above

Setup/Environment

• ProcessWire version: 3.0.178

[thetuningspoon]

Also, I could have sworn that Ryan added documentation of selector arrays to the Docs, but I can't find it anywhere.

[ryancramerdesign]

@thetuningspoon The selector arrays apply the selectorValue sanitizer automatically, and it's one of the reasons to use them, so that you don't have to specifically apply it on your own like you would with a selector string. For your case, you could specify 'text' for the sanitize method, or if you don't need a sanitizer you could just specify a blank string for that argument, which would prevent it from attempting any sanitization, i.e. [ 'field', 'operator', 'value', '' ]

[thetuningspoon]

@ryancramerdesign Thanks. I thought that the selectorValue sanitizer was specifically for sanitizing a value in the context of a selector string, which is why it removes commas, quotes, and other characters that have special meaning in a selector string. Am I correct that there is no security concern in allowing these characters in the value of a selector array since the value is isolated in an array element? Or does the array get put back together into a string before being evaluated by ProcessWire?

Have selector arrays always applied the selectorValue sanitizer automatically? In the past I have used a selector array instead of a selector string in order to match a string that could have double quotes in it, and I thought it was working?

[ryancramerdesign]

@thetuningspoon Sorry, I didn't word it right before. You are right that selectorValue() is for the purpose of sanitizing it within a selector string. The selectors array gets converted to a Selectors object, containing one or more Selector objects within. The field(s) are completely isolated from the value(s), and remain that way until used in the page finding DB query, so a selectorValue() sanitizer is no longer applicable or necessary when using an array. Selector strings also are converted to Selectors objects in the same way, but it has to isolate the field, operator and value from each component of the selector. The selectorValue() is necessary in a selector string so that the operator can't get mixed up with the value, and the value can't get mixed up with another item in the selector string.