Describe the Bug

The function slugifyLikeString in app/lib/database/utils.ts (around line 14) contains a bug where the replace() result is not assigned or returned.
Because of this, the string sanitization step is effectively skipped, and the unsanitized string (which may contain special characters) is passed directly to slugify().

Steps to Reproduce

Open app/lib/database/utils.ts.

Locate the slugifyLikeString function (lines 12–17).

Notice this line:

str?.replace(likeStringRegex, '_');

The result of replace() is not assigned back to str or returned.

This means the sanitization step does not take effect before the string is passed to slugify().

Expected Behavior

The line should assign the result of replace() back to the variable:

str = str?.replace(likeStringRegex, '_') ?? str;

OR
chain the operation like this:

const sanitized = str.replace(likeStringRegex, '_');
const slugified = slugify(sanitized);
return slugified;

The string should always be sanitized before being passed to slugify().

Actual Behavior

The replace() on line 14 does nothing because its result is ignored.

The raw string with special characters is passed directly to slugify().

The sanitization step is effectively skipped.

Rocket.Chat Server Version

N/A (Code bug fix)

Rocket.Chat App Version

4.67.0

Device Name

N/A

OS Version

N/A

Additional Context

File: app/lib/database/utils.ts

Impact: The slugifyLikeString function is used in:

• app/lib/methods/search.ts
• app/lib/methods/helpers/mergeSubscriptionsRooms.ts

Note: This bug means special characters may not be properly sanitized before slugification, which could lead to unexpected behavior in search and room merging functionality.