[markdown] Escape HTML characters before running Markdown::toBBCode()

- This prevents HTML tag looking text to be purified in the Markdown to BBCode process

diff --git a/markdown/markdown.php b/markdown/markdown.php
index 4f12e7137b2734837feb670099dbd2e90e9c7d42..5e819fb57a6a507bc8b8ab5bba5ee1ffc66ad518 100644 (file)
--- a/markdown/markdown.php
+++ b/markdown/markdown.php
@@ -56,6 +56,10 @@ function markdown_post_local_start(App $a, &$request) {
                        // Escape mentions which username can contain Markdown-like characters
                        // See https://github.com/friendica/friendica/issues/9486
                        return \Friendica\Util\Strings::performWithEscapedBlocks($body, '/[@!][^@\s]+@[^\s]+\w/', function ($text) {
+                               // Markdown accepts literal HTML but we do not in post body, so we need to escape all chevrons
+                               // See https://github.com/friendica/friendica/issues/10634
+                               $text = \Friendica\Util\Strings::escapeHtml($text);
+
                                return Markdown::toBBCode($text);
                        });
                }