[ticket/security-264] Ensure HTML entity state after removing formatting

SECURITY-264

phpBB/phpbb/textformatter/s9e/utils.php

@@ -31,7 +31,7 @@ class utils implements \phpbb\textformatter\utils_interface
 		// Insert a space before <s> and <e> then remove formatting
 		$xml = preg_replace('#<[es]>#', ' $0', $xml);
 
-		return \s9e\TextFormatter\Utils::removeFormatting($xml);
+		return utf8_htmlspecialchars(\s9e\TextFormatter\Utils::removeFormatting($xml));
 	}
 
 	/**

tests/text_processing/strip_bbcode_test.php

@@ -13,27 +13,26 @@
 
 class phpbb_text_processing_strip_bbcode_test extends phpbb_test_case
 {
-	public function test_legacy()
+
+	public function data_strip_bbcode()
 	{
-		$original = '[b:20m4ill1]bold[/b:20m4ill1]';
+		return [
-		$expected = ' bold ';
+			['[b:20m4ill1]bold[/b:20m4ill1]', ' bold '],
-
+			['<r><B><s>[b]</s>bold<e>[/b]</e></B></r>', ' bold '],
-		$actual = $original;
+			['[b:20m4ill1]bo &amp; ld[/b:20m4ill1]', ' bo &amp; ld '],
-		strip_bbcode($actual);
+			['<r><B><s>[b]</s>bo &amp; ld<e>[/b]</e></B></r>', ' bo &amp; ld ']
-
+		];
-		$this->assertSame($expected, $actual, '20m4ill1');
 	}
 
-	public function test_s9e()
+	/**
+	 * @dataProvider data_strip_bbcode
+	 */
+	public function test_strip_bbcode($input, $expected)
 	{
 		$phpbb_container = $this->get_test_case_helpers()->set_s9e_services();
 
-		$original = '<r><B><s>[b]</s>bold<e>[/b]</e></B></r>';
+		strip_bbcode($input);
-		$expected = ' bold ';
 
-		$actual = $original;
+		$this->assertSame($expected, $input);
-		strip_bbcode($actual);
-
-		$this->assertSame($expected, $actual);
 	}
 }