[markdown] Escape HTML characters before running Markdown::toBBCode() #1190

Merged
MrPetovan merged 1 commit from bug/10634-markdown-html into develop 2021-10-14 09:56:36 +02:00

View file

@ -56,6 +56,10 @@ function markdown_post_local_start(App $a, &$request) {
// Escape mentions which username can contain Markdown-like characters // Escape mentions which username can contain Markdown-like characters
// See https://github.com/friendica/friendica/issues/9486 // See https://github.com/friendica/friendica/issues/9486
return \Friendica\Util\Strings::performWithEscapedBlocks($body, '/[@!][^@\s]+@[^\s]+\w/', function ($text) { return \Friendica\Util\Strings::performWithEscapedBlocks($body, '/[@!][^@\s]+@[^\s]+\w/', function ($text) {
// Markdown accepts literal HTML but we do not in post body, so we need to escape all chevrons
// See https://github.com/friendica/friendica/issues/10634
$text = \Friendica\Util\Strings::escapeHtml($text);
return Markdown::toBBCode($text); return Markdown::toBBCode($text);
}); });
} }