Bug: editing a saved forum post and clicking Save would show <p> and similar escaped tags in the rendered output instead of proper paragraphs, formatting, or blockquotes.
Root cause: forum posts are stored as pre-rendered HTML (markdown runs at save time). The edit form loaded that HTML into the textarea, and on save the site re-ran the markdown pipeline, which escapes HTML for XSS safety. So every edit escaped the tags another layer.
Fix:
ForumController::purifyHtmlis now idempotent — detects input that already looks like rendered HTML (starts with a block-level tag) and runs only the sanitizer, not the markdown renderer. Fresh markdown input still renders normally.- Backfill script
bin/repair-double-escaped-posts.phpscans for historical victims and decodes their escaped tags. Safe to re-run; only touches rows where escaped tags overwhelm real ones.
Caught one historical post on first run and repaired it. Also covers the blockquote-via-quote-reply case that was the first symptom of the same underlying bug.
