From 43b0b5a0e4693704e7b0a14d6f928a2363db9d4c Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Thu, 14 Oct 2021 02:11:53 -0400 Subject: [PATCH] [markdown] Escape HTML characters before running Markdown::toBBCode() - This prevents HTML tag looking text to be purified in the Markdown to BBCode process --- markdown/markdown.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/markdown/markdown.php b/markdown/markdown.php index 4f12e713..5e819fb5 100644 --- a/markdown/markdown.php +++ b/markdown/markdown.php @@ -56,6 +56,10 @@ function markdown_post_local_start(App $a, &$request) { // Escape mentions which username can contain Markdown-like characters // See https://github.com/friendica/friendica/issues/9486 return \Friendica\Util\Strings::performWithEscapedBlocks($body, '/[@!][^@\s]+@[^\s]+\w/', function ($text) { + // Markdown accepts literal HTML but we do not in post body, so we need to escape all chevrons + // See https://github.com/friendica/friendica/issues/10634 + $text = \Friendica\Util\Strings::escapeHtml($text); + return Markdown::toBBCode($text); }); } -- 2.39.5