Escape HTML for BBCode strings
authorAlexander Ebert <ebert@woltlab.com>
Sun, 10 Jul 2016 22:09:18 +0000 (00:09 +0200)
committerAlexander Ebert <ebert@woltlab.com>
Sun, 10 Jul 2016 22:10:03 +0000 (00:10 +0200)
wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php

index ee16635d1d9718b65bca3444695fd2a5605e0395..ee0cbc2eb76924dedc9a2ec45a8771032bfa0f5b 100644 (file)
@@ -143,6 +143,7 @@ class HtmlInputProcessor extends AbstractHtmlProcessor {
         */
        protected function convertToHtml($html) {
                if (!preg_match('~^<[a-zA-Z\-]+~', $html) || !preg_match('~</[a-zA-Z\-]>$~', $html)) {
+                       $html = StringUtil::encodeHTML($html);
                        $parts = preg_split('~(\n+)~', $html, null, PREG_SPLIT_DELIM_CAPTURE);
                        
                        $openParagraph = false;