Fixed \XF\BbCode\Renderer\Html::renderTagTable corrupts tables on edit

[PaulB]

Affected version

2.2.9

XenForo 2.2.9

\XF\BbCode\Renderer\Html::renderTagTable, line 1620:

$rows[$i] = preg_replace('#</tr>$#', "$filler\0", $rows[$i]);

The backslash in the replacement text isn't escaped, so it results in a literal null byte instead of </tr>.

This causes unexpected behavior with certain malformed BB code tables that a confused user could accidentally create, such as:

[table]
[tr][td]a1[/td][td]b1[/td][/tr]
[tr][td]a2[/td][td]b2
[tr][td]a3[/td][td]b3[/td][/tr]
[/td][/tr][/table]

Repro:

1. Make sure your editor is currently in WYSIWYG mode.
2. Create a new post with the code above.
3. Save the post.
4. Click "Edit" to edit the post.
5. Save the post again.

Your post will now be prefixed with � (U+FFFD), which is replacing the null byte your post previously contained.

 

[XF Bug Bot]

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.12).

Change log:

Properly escape regex when rendering a BB code table.

There may be a delay before changes are rolled out to the XenForo Community.