Merge pull request #7944 from MrPetovan/bug/4451-escape-bbcode-blocks-autolinker

Escape potential URL-containing BBCodes before running autolinker

diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php
index fcce795810082b359c23d1c42c55a65c3bb253a8..6d4c3418d07410dd40417c5203ae0328c5d8c821 100644 (file)
--- a/src/Content/Text/BBCode.php
+++ b/src/Content/Text/BBCode.php
@@ -1507,8 +1507,29 @@ class BBCode extends BaseObject
                $text = str_replace('[hr]', '<hr />', $text);
 
                if (!$for_plaintext) {
+                       $escaped = [];
+
+                       // Escaping BBCodes susceptible to contain rogue URL we don'' want the autolinker to catch
+                       $text = preg_replace_callback('#\[(url|img|audio|video|youtube|vimeo|share|attachment|iframe|bookmark).+?\[/\1\]#ism',
+                               function ($matches) use (&$escaped) {
+                                       $return = '{escaped-' . count($escaped) . '}';
+                                       $escaped[] = $matches[0];
+
+                                       return $return;
+                               },
+                               $text
+                       );
+
                        // Autolinker for isolated URLs
                        $text = preg_replace(Strings::autoLinkRegEx(), '[url]$1[/url]', $text);
+
+                       // Restoring escaped blocks
+                       $text = preg_replace_callback('/{escaped-([0-9]+)}/iU',
+                               function ($matches) use ($escaped) {
+                                       return $escaped[intval($matches[1])] ?? $matches[0];
+                               },
+                               $text
+                       );
                }
 
                // This is actually executed in Item::prepareBody()