Fixed \XF\BbCode\Renderer\Html::renderTagTable corrupts tables on edit


Well-known member
Affected version
XenForo 2.2.9

\XF\BbCode\Renderer\Html::renderTagTable, line 1620:
$rows[$i] = preg_replace('#</tr>$#', "$filler\0", $rows[$i]);
The backslash in the replacement text isn't escaped, so it results in a literal null byte instead of </tr>.

This causes unexpected behavior with certain malformed BB code tables that a confused user could accidentally create, such as:

  1. Make sure your editor is currently in WYSIWYG mode.
  2. Create a new post with the code above.
  3. Save the post.
  4. Click "Edit" to edit the post.
  5. Save the post again.
Your post will now be prefixed with � (U+FFFD), which is replacing the null byte your post previously contained.


  • 2022-06-14-bbcode-table-null-byte-paul.diff
    564 bytes · Views: 5

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.12).

Change log:
Properly escape regex when rendering a BB code table.
There may be a delay before changes are rolled out to the XenForo Community.