From: Alexander Ebert <ebert@woltlab.com>
Date: Sun, 10 Jul 2016 22:09:18 +0000 (+0200)
Subject: Escape HTML for BBCode strings
X-Git-Tag: 3.0.0_Beta_1~1208
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=836f3762541aad913c1fc38437ba1c0cb67b621e;p=GitHub%2FWoltLab%2FWCF.git

Escape HTML for BBCode strings
---

diff --git a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
index ee16635d1d..ee0cbc2eb7 100644
--- a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
+++ b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
@@ -143,6 +143,7 @@ class HtmlInputProcessor extends AbstractHtmlProcessor {
 	 */
 	protected function convertToHtml($html) {
 		if (!preg_match('~^<[a-zA-Z\-]+~', $html) || !preg_match('~</[a-zA-Z\-]>$~', $html)) {
+			$html = StringUtil::encodeHTML($html);
 			$parts = preg_split('~(\n+)~', $html, null, PREG_SPLIT_DELIM_CAPTURE);
 			
 			$openParagraph = false;