PHPOffice
diff --git a/‎CHANGELOG.md‎
Lines changed: 2 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/PhpSpreadsheet/Writer/Html.php‎
Lines changed: 5 additions & 4 deletions b/‎src/PhpSpreadsheet/Writer/Html.php‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php‎
Lines changed: 23 additions & 0 deletions b/‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php‎
Lines changed: 23 additions & 0 deletions b/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php‎
Lines changed: 23 additions & 0 deletions b/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎tests/data/Reader/XLSX/sec-j47r.dontuse‎
8.68 KB b/‎tests/data/Reader/XLSX/sec-j47r.dontuse‎
8.68 KB
diff --git a/‎tests/data/Reader/XLSX/sec-p66w.dontuse‎
8.11 KB b/‎tests/data/Reader/XLSX/sec-p66w.dontuse‎
8.11 KB
diff --git a/‎tests/data/Reader/XLSX/sec-q229.dontuse‎
8.73 KB b/‎tests/data/Reader/XLSX/sec-q229.dontuse‎
8.73 KB
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com)
 and this project adheres to [Semantic Versioning](https://semver.org).
 
-# TBD - 1.29.7
+# 2024-12-26 - 1.29.7
 
 ### Deprecated
 
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org).
 
 - More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
 - Backported security patches for Samples.
+- Backported security patches for Html Writer.
 
 ## 1.29.6 - 2024-12-08
 
 
@@ -407,12 +407,12 @@ public function generateHTMLHeader($includeStyles = false)
                 } else {
                     $propertyValue = (string) $propertyValue;
                 }
-                $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");
+                $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));
             }
         }
 
         if (!empty($properties->getHyperlinkBase())) {
-            $html .= '      <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;
+            $html .= '      <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;
         }
 
         $html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);
@@ -1519,8 +1519,9 @@ private function generateRow(Worksheet $worksheet, array $values, $row, $cellTyp
             // Hyperlink?
             if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {
                 $url = $worksheet->getHyperlink($coordinate)->getUrl();
-                $urldecode = strtolower(html_entity_decode(trim($url), ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, 'UTF-8'));
-                $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);
+                $urlDecode1 = html_entity_decode($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+                $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;
+                $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);
                 if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {
                     $cellData = htmlspecialchars($url, Settings::htmlEntityFlags());
                 } else {
 
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadCustomPropertyTest extends TestCase
+{
+    public function testBadCustomProperty(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-q229.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<meta name="custom.string.custom_property&quot;&gt;&lt;img src=1 onerror=alert()&gt;" content="test" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkBaseTest extends TestCase
+{
+    public function testBadHyperlinkBase(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-p66w.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<base href="&quot;&gt;&lt;img src=1 onerror=alert()&gt;" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkTest extends TestCase
+{
+    public function testBadHyperlink(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-j47r.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString("<td class=\"column0 style1 f\">jav\tascript:alert()</td>", $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -407,12 +407,12 @@ public function generateHTMLHeader($includeStyles = false)`
`407`	`407`	`} else {`
`408`	`408`	`$propertyValue = (string) $propertyValue;`
`409`	`409`	`}`
`410`		`- $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");`
	`410`	`+ $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));`
`411`	`411`	`}`
`412`	`412`	`}`
`413`	`413`
`414`	`414`	`if (!empty($properties->getHyperlinkBase())) {`
`415`		`- $html .= ' <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;`
	`415`	`+ $html .= ' <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;`
`416`	`416`	`}`
`417`	`417`
`418`	`418`	`$html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);`
`@@ -1519,8 +1519,9 @@ private function generateRow(Worksheet $worksheet, array $values, $row, $cellTyp`
`1519`	`1519`	`// Hyperlink?`
`1520`	`1520`	`if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {`
`1521`	`1521`	`$url = $worksheet->getHyperlink($coordinate)->getUrl();`
`1522`		`- $urldecode = strtolower(html_entity_decode(trim($url), ENT_QUOTES \| ENT_SUBSTITUTE \| ENT_HTML401, 'UTF-8'));`
`1523`		`- $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);`
	`1522`	`+ $urlDecode1 = html_entity_decode($url, ENT_QUOTES \| ENT_SUBSTITUTE, 'UTF-8');`
	`1523`	`+ $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;`
	`1524`	`+ $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);`
`1524`	`1525`	`if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {`
`1525`	`1526`	`$cellData = htmlspecialchars($url, Settings::htmlEntityFlags());`
`1526`	`1527`	`} else {`