My apologies for the terseness. If anything's unclear, feel free to ping me and I'll develop.
phpBB 3.3.2 fixes a security issue labeled security-264. I don't have access to it and only became aware of it today. The commit that fixes it is there: https://github.com/phpbb/phpbb/commit/3 ... 1ccce1c72a
I gather that it's meant to fix
strip_bbcode()
's behaviour with regards to HTML entities, specifically a code path that I personally wrote. I did not realize that strip_bbcode()
was meant to be HTML-safe, that's why its return value was not HTML-safe. For anything posted or reparsed on phpBB >= 3.2, the function relies on the text_formatter.s9e.utils
service which implements the phpbb\textformatter\utils_interface
API. None of that API is meant to be HTML-safe.The proposed merge request moves the HTML escaping out of the
text_formatter.s9e.utils
implementation and back to strip_bbcode()
to restore the former's behaviour while keeping the latter safe to be used in HTML. I've added a comment to make it clear what "plain text" and "parsed text" refer to.