From 8e20a7d9c563e74c36b094150691c04d42be11b9 Mon Sep 17 00:00:00 2001
From: devswithme <developswithme@gmail.com>
Date: Sat, 28 Mar 2026 22:55:27 +0800
Subject: [PATCH] fix: escape regex metacharacters in from/mention search
 filters

---
 .../server/lib/parseMessageSearchQuery.ts     |  4 ++--
 .../lib/parseMessageSearchQuery.spec.ts       | 21 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/apps/meteor/server/lib/parseMessageSearchQuery.ts b/apps/meteor/server/lib/parseMessageSearchQuery.ts
index 0365b6e2aecd1..ef66c65becbb0 100644
--- a/apps/meteor/server/lib/parseMessageSearchQuery.ts
+++ b/apps/meteor/server/lib/parseMessageSearchQuery.ts
@@ -45,7 +45,7 @@ class MessageSearchQueryParser {
 			from.push(username);
 
 			this.query['u.username'] = {
-				$regex: from.join('|'),
+				$regex: from.map(escapeRegExp).join('|'),
 				$options: 'i',
 			};
 
@@ -60,7 +60,7 @@ class MessageSearchQueryParser {
 			mentions.push(username);
 
 			this.query['mentions.username'] = {
-				$regex: mentions.join('|'),
+				$regex: mentions.map(escapeRegExp).join('|'),
 				$options: 'i',
 			};
 
diff --git a/apps/meteor/tests/unit/server/lib/parseMessageSearchQuery.spec.ts b/apps/meteor/tests/unit/server/lib/parseMessageSearchQuery.spec.ts
index dd445a72e5087..33bb496d15e69 100644
--- a/apps/meteor/tests/unit/server/lib/parseMessageSearchQuery.spec.ts
+++ b/apps/meteor/tests/unit/server/lib/parseMessageSearchQuery.spec.ts
@@ -25,6 +25,27 @@ describe('parseMessageSearchQuery', () => {
 				limit: 20,
 			},
 		},
+		{
+			text: 'from:rocket.cat',
+			query: {
+				'u.username': { $regex: 'rocket\\.cat', $options: 'i' },
+			},
+			options: { projection: {}, sort: { ts: -1 }, skip: 0, limit: 20 },
+		},
+		{
+			text: 'mention:john.doe',
+			query: {
+				'mentions.username': { $regex: 'john\\.doe', $options: 'i' },
+			},
+			options: { projection: {}, sort: { ts: -1 }, skip: 0, limit: 20 },
+		},
+		{
+			text: 'from:john.doe from:jane.doe',
+			query: {
+				'u.username': { $regex: 'john\\.doe|jane\\.doe', $options: 'i' },
+			},
+			options: { projection: {}, sort: { ts: -1 }, skip: 0, limit: 20 },
+		},
 		{
 			text: 'has:star',
 			query: { 'starred._id': params.user._id },