Fixed \XF\BbCode\Renderer\Html::renderTagTable corrupts tables on edit


Well-known member
Affected version
XenForo 2.2.9

\XF\BbCode\Renderer\Html::renderTagTable, line 1620:
$rows[$i] = preg_replace('#</tr>$#', "$filler\0", $rows[$i]);
The backslash in the replacement text isn't escaped, so it results in a literal null byte instead of </tr>.

This causes unexpected behavior with certain malformed BB code tables that a confused user could accidentally create, such as:

  1. Make sure your editor is currently in WYSIWYG mode.
  2. Create a new post with the code above.
  3. Save the post.
  4. Click "Edit" to edit the post.
  5. Save the post again.
Your post will now be prefixed with � (U+FFFD), which is replacing the null byte your post previously contained.


  • 2022-06-14-bbcode-table-null-byte-paul.diff
    564 bytes · Views: 5
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.12).

Change log:
Properly escape regex when rendering a BB code table.
There may be a delay before changes are rolled out to the XenForo Community.
Top Bottom