Investigating this user's post revealed what appears to be an unexpected change: https://www.phpbb.com/community/viewtopic.php?f=556&t=2511531

In phpBB 3.2.7 (and presumably phpBB 3.2.6 as well), any new or existing BBCode which attempts to use {TEXT} inside an HTML tag attrubute simply no longer works; or more specifically, generates corrupt BBCode replacement output.

Minimal example: Create a BBCode defined as:

[test={URL}]{TEXT}[/test]

with it's replacement HTML defined as:

<a href="{URL}" alt="{TEXT}">{TEXT}</a>

When saving this BBCode definition, phpBB presents the following caution: "Warning: The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} or {INTTEXT} types instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable. [Yes] [Cancel]"

So it allows you to proceed with saving the current definition, even in phpBB 3.2.7.  And in phpBB 3.2.5 and earlier, this would result in a successful BBCode.

But in phpBB 3.2.7, attempting to utilize the above example BBCode using:

[test=http://ea117.com]Test[/test]

results in an HTML rendering of only "Test</a>".  As though the BBCode's replacement HTML definition was just "{TEXT}</a>", instead of "<a href="{URL}" alt="{TEXT}">{TEXT}</a>" as defined.

A guess is that the updated se9/text-formatter library is now directly or indirectly rejecting the attempt to use this "unsafe" input in the HTML attribute.  And that there may be two ways to proceed here: Make the BBCode system honor BBCodes that were working in phpBB 3.2.5 and earlier; or to update this warning, the documentation, and the database upgrade process itself to account for the fact that such BBCode definitions simply aren't allowed any more.