Escape major HTML characters in code blocks in BBCode::convert

- HTML sanitization was removing unescaped opening chevrons in code blocks

diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php
index a3d26a73671e260b6a59305d8ac2bceb0e3b224b..3617470df4ff175cc0505cf1e5ea934427b6c0c6 100644 (file)
--- a/src/Content/Text/BBCode.php
+++ b/src/Content/Text/BBCode.php
@@ -1283,9 +1283,9 @@ class BBCode extends BaseObject
                        function ($matches) use (&$codeblocks) {
                                $return = '#codeblock-' . count($codeblocks) . '#';
                                if (strpos($matches[2], "\n") !== false) {
-                                       $codeblocks[] = '<pre><code class="language-' . trim($matches[1]) . '">' . trim($matches[2], "\n\r") . '</code></pre>';
+                                       $codeblocks[] = '<pre><code class="language-' . trim($matches[1]) . '">' . htmlspecialchars(trim($matches[2], "\n\r"), ENT_NOQUOTES, 'UTF-8') . '</code></pre>';
                                } else {
-                                       $codeblocks[] = '<code>' . $matches[2] . '</code>';
+                                       $codeblocks[] = '<code>' . htmlspecialchars($matches[2], ENT_NOQUOTES, 'UTF-8') . '</code>';
                                }
 
                                return $return;