Escape HTML for BBCode strings

diff --git a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
index ee16635d1d9718b65bca3444695fd2a5605e0395..ee0cbc2eb76924dedc9a2ec45a8771032bfa0f5b 100644 (file)
--- a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
+++ b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
@@ -143,6 +143,7 @@ class HtmlInputProcessor extends AbstractHtmlProcessor {
         */
        protected function convertToHtml($html) {
                if (!preg_match('~^<[a-zA-Z\-]+~', $html) || !preg_match('~</[a-zA-Z\-]>$~', $html)) {
+                       $html = StringUtil::encodeHTML($html);
                        $parts = preg_split('~(\n+)~', $html, null, PREG_SPLIT_DELIM_CAPTURE);
                        
                        $openParagraph = false;