Fixed \XF\BbCode\Renderer\Html::renderTagTable corrupts tables on edit

PaulB

Well-known member
Affected version
2.2.9
XenForo 2.2.9

\XF\BbCode\Renderer\Html::renderTagTable, line 1620:
PHP:
$rows[$i] = preg_replace('#</tr>$#', "$filler\0", $rows[$i]);
The backslash in the replacement text isn't escaped, so it results in a literal null byte instead of </tr>.

This causes unexpected behavior with certain malformed BB code tables that a confused user could accidentally create, such as:
Code:
[table]
[tr][td]a1[/td][td]b1[/td][/tr]
[tr][td]a2[/td][td]b2
[tr][td]a3[/td][td]b3[/td][/tr]
[/td][/tr][/table]

Repro:
  1. Make sure your editor is currently in WYSIWYG mode.
  2. Create a new post with the code above.
  3. Save the post.
  4. Click "Edit" to edit the post.
  5. Save the post again.
Your post will now be prefixed with � (U+FFFD), which is replacing the null byte your post previously contained.
 

Attachments

  • 2022-06-14-bbcode-table-null-byte-paul.diff
    564 bytes · Views: 5
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.12).

Change log:
Properly escape regex when rendering a BB code table.
There may be a delay before changes are rolled out to the XenForo Community.
 
Back
Top Bottom