My apologies for the terseness. If anything's unclear, feel free to ping me and I'll develop.
phpBB 3.3.2 fixes a security issue labeled security-264. I don't have access to it and only became aware of it today. The commit that fixes it is there: https://github.com/phpbb/phpbb/commit/3 ... 1ccce1c72a
I gather that it's meant to fix
strip_bbcode()'s behaviour with regards to HTML entities, specifically a code path that I personally wrote. I did not realize that
strip_bbcode()was meant to be HTML-safe, that's why its return value was not HTML-safe. For anything posted or reparsed on phpBB >= 3.2, the function relies on the
text_formatter.s9e.utilsservice which implements the
phpbb\textformatter\utils_interfaceAPI. None of that API is meant to be HTML-safe.
The proposed merge request moves the HTML escaping out of the
text_formatter.s9e.utilsimplementation and back to
strip_bbcode()to restore the former's behaviour while keeping the latter safe to be used in HTML. I've added a comment to make it clear what "plain text" and "parsed text" refer to.