Fixed \XF\BbCode\Renderer\Html::renderTagTable corrupts tables on edit

PaulB

Well-known member
Affected version
2.2.9
XenForo 2.2.9

\XF\BbCode\Renderer\Html::renderTagTable, line 1620:
PHP:
$rows[$i] = preg_replace('#</tr>$#', "$filler\0", $rows[$i]);
The backslash in the replacement text isn't escaped, so it results in a literal null byte instead of </tr>.

This causes unexpected behavior with certain malformed BB code tables that a confused user could accidentally create, such as:
Code:
[table]
[tr][td]a1[/td][td]b1[/td][/tr]
[tr][td]a2[/td][td]b2
[tr][td]a3[/td][td]b3[/td][/tr]
[/td][/tr][/table]

Repro:
  1. Make sure your editor is currently in WYSIWYG mode.
  2. Create a new post with the code above.
  3. Save the post.
  4. Click "Edit" to edit the post.
  5. Save the post again.
Your post will now be prefixed with � (U+FFFD), which is replacing the null byte your post previously contained.
 

Attachments

Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.12).

Change log:
Properly escape regex when rendering a BB code table.
There may be a delay before changes are rolled out to the XenForo Community.
 
Top Bottom