Escape incoming invalid XML characters using htmlspecialchars().

Author: tjarrett

src/PhpWord/Reader/Word2007/AbstractPart.php

@@ -135,7 +135,7 @@ protected function readParagraph(XMLReader $xmlReader, \DOMElement $domNode, $pa
                     }
                 }
             }
-            $parent->addPreserveText($textContent, $fontStyle, $paragraphStyle);
+            $parent->addPreserveText(htmlspecialchars($textContent, ENT_QUOTES | ENT_XML1), $fontStyle, $paragraphStyle);
         } elseif ($xmlReader->elementExists('w:pPr/w:numPr', $domNode)) {
             // List item
             $numId = $xmlReader->getAttribute('w:val', $domNode, 'w:pPr/w:numPr/w:numId');
@@ -152,7 +152,7 @@ protected function readParagraph(XMLReader $xmlReader, \DOMElement $domNode, $pa
             $textContent = null;
             $nodes = $xmlReader->getElements('w:r', $domNode);
             if ($nodes->length === 1) {
-                $textContent = $xmlReader->getValue('w:t', $nodes->item(0));
+                $textContent = htmlspecialchars($xmlReader->getValue('w:t', $nodes->item(0)), ENT_QUOTES | ENT_XML1);
             } else {
                 $textContent = new TextRun($paragraphStyle);
                 foreach ($nodes as $node) {
@@ -275,7 +275,7 @@ protected function readRunChild(XMLReader $xmlReader, \DOMElement $node, Abstrac
             $parent->addText("\t");
         } elseif ($node->nodeName == 'w:t' || $node->nodeName == 'w:delText') {
             // TextRun
-            $textContent = $xmlReader->getValue('.', $node);
+            $textContent = htmlspecialchars($xmlReader->getValue('.', $node), ENT_QUOTES | ENT_XML1);
 
             if ($runParent->nodeName == 'w:hyperlink') {
                 $rId = $xmlReader->getAttribute('r:id', $runParent);