[2.1] & [3.0]: Html special chars in custom profile fields result in erroneous error

[sbulen]

Basic Information

When entering something in a custom field, e.g.:

This error occurs upon save:

Issue exists in 2.1 & 3.0. It appears all custom profile fields are affected.

Steps to reproduce

1. Attempt to use an ampersand, or <, or > in a custom profile field
2. Press save

Expected result

Updated custom profile field

Actual result

Version/Git revision

3.0 alpha 2 & 2.1.4

Database Engine

All

Database Version

8.4

PHP Version

8.3.8

Logs

No response

Additional Information

Issue was brought up in the forum in this thread: https://www.simplemachines.org/community/index.php?topic=589581.0

[MissAllSunday]

I took a look at this since I remember I worked on it, turns out there isn't a nice way to solve it, at least not one that still uses strip_tags as the function naturally removes <> and & even when used as a single chars not associated with a HTML tag.

Best course of actions would be:

• use a library to sanitize input (not really worth the effort unless its used everywhere else)
• use a custom mini parser to get these chars (make sure there is space around them), replace them with dummy tokens, sanitize the input, replace the token with the chars. This of course will not be a full solution since strings like this one: &some text will result in the & being removed but at least we will caught most of the uses those chars have.