From 836f3762541aad913c1fc38437ba1c0cb67b621e Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Mon, 11 Jul 2016 00:09:18 +0200
Subject: [PATCH] Escape HTML for BBCode strings

---
 .../files/lib/system/html/input/HtmlInputProcessor.class.php     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
index ee16635d1d..ee0cbc2eb7 100644
--- a/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
+++ b/wcfsetup/install/files/lib/system/html/input/HtmlInputProcessor.class.php
@@ -143,6 +143,7 @@ class HtmlInputProcessor extends AbstractHtmlProcessor {
 	 */
 	protected function convertToHtml($html) {
 		if (!preg_match('~^<[a-zA-Z\-]+~', $html) || !preg_match('~</[a-zA-Z\-]>$~', $html)) {
+			$html = StringUtil::encodeHTML($html);
 			$parts = preg_split('~(\n+)~', $html, null, PREG_SPLIT_DELIM_CAPTURE);
 			
 			$openParagraph = false;
-- 
2.20.1