From 54ef9234993c3955052e7bef0eec311fdf4ccde6 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 18 Oct 2021 09:13:47 -0400 Subject: [PATCH] [markdown] Limit HTML escaping to left chevrons - Right chevrons are used for quotation in Markdown --- markdown/markdown.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/markdown/markdown.php b/markdown/markdown.php index 5e819fb5..fe533147 100644 --- a/markdown/markdown.php +++ b/markdown/markdown.php @@ -56,9 +56,10 @@ function markdown_post_local_start(App $a, &$request) { // Escape mentions which username can contain Markdown-like characters // See https://github.com/friendica/friendica/issues/9486 return \Friendica\Util\Strings::performWithEscapedBlocks($body, '/[@!][^@\s]+@[^\s]+\w/', function ($text) { - // Markdown accepts literal HTML but we do not in post body, so we need to escape all chevrons + // Markdown accepts literal HTML but we do not in post body, so we need to escape left chevrons + // (right chevrons are used for quoting in Markdown) // See https://github.com/friendica/friendica/issues/10634 - $text = \Friendica\Util\Strings::escapeHtml($text); + $text = strtr($text, ['<' => '<']); return Markdown::toBBCode($text); });