fix unterminated entity reference error when dealing with domxpath and add a test

2 files changed, 7 insertions, 2 deletions

diff --git a/include/html2bbcode.php b/include/html2bbcode.php
index e97748a59..c7fe981d0 100644
--- a/include/html2bbcode.php
+++ b/include/html2bbcode.php
@@ -77,12 +77,13 @@ function node2bbcodesub(&$doc, $oldnode, $attributes, $startbb, $endbb)
 					// The exception is `<pre>` and `<code>` elements which
 					// should keep both newlines and whitespace intact.
 					if ($oldNode->nodeName != 'pre' && $oldNode->nodeName != 'code') {
+
 						$newNode->nodeValue = str_replace(
 							array("\n<", ">\n", "\r", "\n", "\xC3\x82\xC2\xA0"),
 							array("<", ">", "<br />", " ", ""),
-							$newNode->nodeValue);
+							htmlspecialchars($newNode->nodeValue, ENT_QUOTES, 'UTF-8', false));
 
-						$newNode->nodeValue = preg_replace('=[\s]{2,}=i', " ", $newNode->nodeValue);
+						$newNode->nodeValue = preg_replace('=[\s]{2,}=i', " ", htmlspecialchars($newNode->nodeValue, ENT_QUOTES, 'UTF-8', false));
 					}
 
 					$oldNode->parentNode->insertBefore($newNode, $oldNode);
diff --git a/tests/unit/includes/BBCodeTest.php b/tests/unit/includes/BBCodeTest.php
index f29eeafd4..0da50f77a 100644
--- a/tests/unit/includes/BBCodeTest.php
+++ b/tests/unit/includes/BBCodeTest.php
@@ -194,6 +194,10 @@ class BBCodeTest extends UnitTestCase {
 			'paragraph with a mention and some text' => [
 				'<p><span class="h-card" translate="no"><a href="https://example.org/@profile" class="u-url mention">@<span>profile</span></a></span> some content</p>',
 				'[url=https://example.org/@profile]@profile[/url] some content'
+			],
+			'nested tags with ampersand and new line' => [
+				"<b>\n<i>foo & bar</i></b>",
+				'[b] [i]foo &amp; bar[/i][/b]'
 			]
 		];
 	}