PHPOffice
diff --git a/Diff for: ‎src/PhpSpreadsheet/Writer/Html.php
+5-4 b/Diff for: ‎src/PhpSpreadsheet/Writer/Html.php
+5-4
diff --git a/Diff for: ‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php
+23 b/Diff for: ‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php
+23
diff --git a/Diff for: ‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php
+23 b/Diff for: ‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php
+23
diff --git a/Diff for: ‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php
+23 b/Diff for: ‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php
+23
diff --git a/Diff for: ‎tests/data/Reader/XLSX/sec-j47r.dontuse
8.68 KB b/Diff for: ‎tests/data/Reader/XLSX/sec-j47r.dontuse
8.68 KB
diff --git a/Diff for: ‎tests/data/Reader/XLSX/sec-p66w.dontuse
8.11 KB b/Diff for: ‎tests/data/Reader/XLSX/sec-p66w.dontuse
8.11 KB
diff --git a/Diff for: ‎tests/data/Reader/XLSX/sec-q229.dontuse
8.73 KB b/Diff for: ‎tests/data/Reader/XLSX/sec-q229.dontuse
8.73 KB
@@ -403,12 +403,12 @@ public function generateHTMLHeader(bool $includeStyles = false): string
                 } else {
                     $propertyValue = (string) $propertyValue;
                 }
-                $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");
+                $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));
             }
         }
 
         if (!empty($properties->getHyperlinkBase())) {
-            $html .= '      <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;
+            $html .= '      <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;
         }
 
         $html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);
@@ -1586,8 +1586,9 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri
             // Hyperlink?
             if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {
                 $url = $worksheet->getHyperlink($coordinate)->getUrl();
-                $urldecode = strtolower(html_entity_decode(trim($url), encoding: 'UTF-8'));
-                $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);
+                $urlDecode1 = html_entity_decode($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+                $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;
+                $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);
                 if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {
                     $cellData = htmlspecialchars($url, Settings::htmlEntityFlags());
                 } else {
 
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadCustomPropertyTest extends TestCase
+{
+    public function testBadCustomProperty(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-q229.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<meta name="custom.string.custom_property&quot;&gt;&lt;img src=1 onerror=alert()&gt;" content="test" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkBaseTest extends TestCase
+{
+    public function testBadHyperlinkBase(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-p66w.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<base href="&quot;&gt;&lt;img src=1 onerror=alert()&gt;" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkTest extends TestCase
+{
+    public function testBadHyperlink(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-j47r.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString("<td class=\"column0 style1 f\">jav\tascript:alert()</td>", $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -403,12 +403,12 @@ public function generateHTMLHeader(bool $includeStyles = false): string`
`403`	`403`	`} else {`
`404`	`404`	`$propertyValue = (string) $propertyValue;`
`405`	`405`	`}`
`406`		`- $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");`
	`406`	`+ $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));`
`407`	`407`	`}`
`408`	`408`	`}`
`409`	`409`
`410`	`410`	`if (!empty($properties->getHyperlinkBase())) {`
`411`		`- $html .= ' <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;`
	`411`	`+ $html .= ' <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;`
`412`	`412`	`}`
`413`	`413`
`414`	`414`	`$html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);`
`@@ -1586,8 +1586,9 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri`
`1586`	`1586`	`// Hyperlink?`
`1587`	`1587`	`if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {`
`1588`	`1588`	`$url = $worksheet->getHyperlink($coordinate)->getUrl();`
`1589`		`- $urldecode = strtolower(html_entity_decode(trim($url), encoding: 'UTF-8'));`
`1590`		`- $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);`
	`1589`	`+ $urlDecode1 = html_entity_decode($url, ENT_QUOTES \| ENT_SUBSTITUTE, 'UTF-8');`
	`1590`	`+ $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;`
	`1591`	`+ $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);`
`1591`	`1592`	`if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {`
`1592`	`1593`	`$cellData = htmlspecialchars($url, Settings::htmlEntityFlags());`
`1593`	`1594`	`} else {`