Fix: Handle JSON-encoded URLs in search-replace for WordPress font data

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Author: Copilot

features/search-replace.feature

@@ -238,6 +238,55 @@ Feature: Do global search/replace
       | key               | value                                    |
       | header_image_data | {"url":"https:\/\/example.com\/foo.jpg"} |
 
+  @require-mysql
+  Scenario: Search and replace handles JSON-encoded URLs in post content
+    Given a WP install
+    And a create-post-with-json-content.php file:
+      """
+      <?php
+      $post_id = wp_insert_post( [
+          'post_type'    => 'post',
+          'post_status'  => 'publish',
+          'post_title'   => 'Font Test',
+          'post_content' => json_encode( [ 'src' => 'http://example.com/wp-content/uploads/fonts/test.woff2', 'fontWeight' => '400' ] ),
+      ] );
+      echo $post_id;
+      """
+    And I run `wp eval-file create-post-with-json-content.php`
+    Then save STDOUT as {POST_ID}
+
+    When I run `wp post get {POST_ID} --field=post_content`
+    Then STDOUT should contain:
+      """
+      http:\/\/example.com
+      """
+
+    When I run `wp search-replace 'http://example.com' 'http://newdomain.com' wp_posts --include-columns=post_content`
+    Then STDOUT should be a table containing rows:
+      | Table    | Column       | Replacements | Type |
+      | wp_posts | post_content | 1            | SQL  |
+
+    When I run `wp post get {POST_ID} --field=post_content`
+    Then STDOUT should contain:
+      """
+      http:\/\/newdomain.com
+      """
+    And STDOUT should not contain:
+      """
+      http:\/\/example.com
+      """
+
+    When I run `wp search-replace 'http://newdomain.com' 'http://example.com' wp_posts --include-columns=post_content --precise`
+    Then STDOUT should be a table containing rows:
+      | Table    | Column       | Replacements | Type |
+      | wp_posts | post_content | 1            | PHP  |
+
+    When I run `wp post get {POST_ID} --field=post_content`
+    Then STDOUT should contain:
+      """
+      http:\/\/example.com
+      """
+
   @require-mysql
   Scenario: Search and replace with quoted strings
     Given a WP install

src/Search_Replace_Command.php

@@ -652,19 +652,29 @@ private function sql_handle_col( $col, $primary_keys, $table, $old, $new ) {
 
 		$table_sql = self::esc_sql_ident( $table );
 		$col_sql   = self::esc_sql_ident( $col );
+		$old_json  = self::json_encode_strip_quotes( $old );
+		$new_json  = self::json_encode_strip_quotes( $new );
 		if ( $this->dry_run ) {
 			if ( $this->log_handle ) {
 				$count = $this->log_sql_diff( $col, $primary_keys, $table, $old, $new );
 			} else {
 				// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
 				$count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT($col_sql) FROM $table_sql WHERE $col_sql LIKE BINARY %s;", '%' . self::esc_like( $old ) . '%' ) );
+				if ( $old_json !== $old ) {
+					// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
+					$count += (int) $wpdb->get_var( $wpdb->prepare( "SELECT COUNT($col_sql) FROM $table_sql WHERE $col_sql LIKE BINARY %s;", '%' . self::esc_like( $old_json ) . '%' ) );
+				}
 			}
 		} else {
 			if ( $this->log_handle ) {
 				$this->log_sql_diff( $col, $primary_keys, $table, $old, $new );
 			}
 			// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
 			$count = $wpdb->query( $wpdb->prepare( "UPDATE $table_sql SET $col_sql = REPLACE($col_sql, %s, %s);", $old, $new ) );
+			if ( $old_json !== $old ) {
+				// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
+				$count += (int) $wpdb->query( $wpdb->prepare( "UPDATE $table_sql SET $col_sql = REPLACE($col_sql, %s, %s);", $old_json, $new_json ) );
+			}
 		}
 
 		if ( $this->verbose && 'table' === $this->format ) {
@@ -686,8 +696,12 @@ private function php_handle_col( $col, $primary_keys, $table, $old, $new ) {
 		$base_key_condition = '';
 		$where_key          = '';
 		if ( ! $this->regex ) {
+			$old_json           = self::json_encode_strip_quotes( $old );
 			$base_key_condition = "$col_sql" . $wpdb->prepare( ' LIKE BINARY %s', '%' . self::esc_like( $old ) . '%' );
-			$where_key          = "WHERE $base_key_condition";
+			if ( $old_json !== $old ) {
+				$base_key_condition = "( $base_key_condition OR $col_sql" . $wpdb->prepare( ' LIKE BINARY %s', '%' . self::esc_like( $old_json ) . '%' ) . ' )';
+			}
+			$where_key = "WHERE $base_key_condition";
 		}
 
 		$escaped_primary_keys = self::esc_sql_ident( $primary_keys );
@@ -917,6 +931,19 @@ private static function esc_like( $old ) {
 		return $old;
 	}
 
+	/**
+	 * Returns the JSON-encoded representation of a string with the surrounding quotes stripped.
+	 * This is used to also handle values stored as raw JSON in the database (e.g. WordPress font data).
+	 * Returns the original string unchanged if JSON encoding fails (e.g. invalid UTF-8).
+	 *
+	 * @param string $str The string to encode.
+	 * @return string The JSON-encoded string without surrounding quotes, or the original string on failure.
+	 */
+	private static function json_encode_strip_quotes( $str ) {
+		$encoded = json_encode( $str ); // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+		return false !== $encoded ? substr( $encoded, 1, -1 ) : $str;
+	}
+
 	/**
 	 * Escapes (backticks) MySQL identifiers (aka schema object names) - i.e. column names, table names, and database/index/alias/view etc names.
 	 * See https://dev.mysql.com/doc/refman/5.5/en/identifiers.html

src/WP_CLI/SearchReplacer.php

@@ -17,6 +17,16 @@ class SearchReplacer {
 	 */
 	private $to;
 
+	/**
+	 * @var string
+	 */
+	private $from_json;
+
+	/**
+	 * @var string
+	 */
+	private $to_json;
+
 	/**
 	 * @var bool
 	 */
@@ -78,6 +88,12 @@ public function __construct( $from, $to, $recurse_objects = false, $regex = fals
 		$this->logging         = $logging;
 		$this->clear_log_data();
 
+		// Compute JSON-encoded versions (stripping outer quotes) for handling raw JSON values in the database.
+		$from_encoded    = json_encode( $from ); // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+		$this->from_json = false !== $from_encoded ? substr( $from_encoded, 1, -1 ) : $from;
+		$to_encoded      = json_encode( $to ); // phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
+		$this->to_json   = false !== $to_encoded ? substr( $to_encoded, 1, -1 ) : $to;
+
 		// Get the XDebug nesting level. Will be zero (no limit) if no value is set
 		$this->max_recursion = intval( ini_get( 'xdebug.max_nesting_level' ) );
 	}
@@ -204,6 +220,9 @@ private function run_recursively( $data, $serialised, $recursion_level = 0, $vis
 					$data = $result;
 				} else {
 					$data = str_replace( $this->from, $this->to, $data );
+					if ( $this->from_json !== $this->from ) {
+						$data = str_replace( $this->from_json, $this->to_json, $data );
+					}
 				}
 				if ( $this->logging && $old_data !== $data ) {
 					$this->log_data[] = $old_data;