diff --git a/phpBB/phpbb/textformatter/s9e/utils.php b/phpBB/phpbb/textformatter/s9e/utils.php
index a9a6d4b892..d81424e913 100644
--- a/phpBB/phpbb/textformatter/s9e/utils.php
+++ b/phpBB/phpbb/textformatter/s9e/utils.php
@@ -31,7 +31,7 @@ class utils implements \phpbb\textformatter\utils_interface
 		// Insert a space before <s> and <e> then remove formatting
 		$xml = preg_replace('#<[es]>#', ' $0', $xml);
 
-		return \s9e\TextFormatter\Utils::removeFormatting($xml);
+		return utf8_htmlspecialchars(\s9e\TextFormatter\Utils::removeFormatting($xml));
 	}
 
 	/**
diff --git a/tests/text_processing/strip_bbcode_test.php b/tests/text_processing/strip_bbcode_test.php
index 9acedc2872..6eae1aa0dd 100644
--- a/tests/text_processing/strip_bbcode_test.php
+++ b/tests/text_processing/strip_bbcode_test.php
@@ -13,27 +13,26 @@
 
 class phpbb_text_processing_strip_bbcode_test extends phpbb_test_case
 {
-	public function test_legacy()
+
+	public function data_strip_bbcode()
 	{
-		$original = '[b:20m4ill1]bold[/b:20m4ill1]';
-		$expected = ' bold ';
-
-		$actual = $original;
-		strip_bbcode($actual);
-
-		$this->assertSame($expected, $actual, '20m4ill1');
+		return [
+			['[b:20m4ill1]bold[/b:20m4ill1]', ' bold '],
+			['<r><B><s>[b]</s>bold<e>[/b]</e></B></r>', ' bold '],
+			['[b:20m4ill1]bo &amp; ld[/b:20m4ill1]', ' bo &amp; ld '],
+			['<r><B><s>[b]</s>bo &amp; ld<e>[/b]</e></B></r>', ' bo &amp; ld ']
+		];
 	}
 
-	public function test_s9e()
+	/**
+	 * @dataProvider data_strip_bbcode
+	 */
+	public function test_strip_bbcode($input, $expected)
 	{
 		$phpbb_container = $this->get_test_case_helpers()->set_s9e_services();
 
-		$original = '<r><B><s>[b]</s>bold<e>[/b]</e></B></r>';
-		$expected = ' bold ';
+		strip_bbcode($input);
 
-		$actual = $original;
-		strip_bbcode($actual);
-
-		$this->assertSame($expected, $actual);
+		$this->assertSame($expected, $input);
 	}
 }