Restrict Protocols for Html Hyperlinks

Render hyperlink as text if it begins with a string of word characters followed by colon, unless the string is one of http, https, file, ftp, or s3.

Author: oleibman

src/PhpSpreadsheet/Writer/Html.php

@@ -1528,7 +1528,14 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri
 
             // Hyperlink?
             if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {
-                $cellData = '<a href="' . htmlspecialchars($worksheet->getHyperlink($coordinate)->getUrl(), Settings::htmlEntityFlags()) . '" title="' . htmlspecialchars($worksheet->getHyperlink($coordinate)->getTooltip(), Settings::htmlEntityFlags()) . '">' . $cellData . '</a>';
+                $url = $worksheet->getHyperlink($coordinate)->getUrl();
+                $urldecode = strtolower(html_entity_decode(trim($url), encoding: 'UTF-8'));
+                $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);
+                if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {
+                    $cellData = htmlspecialchars($url, Settings::htmlEntityFlags());
+                } else {
+                    $cellData = '<a href="' . htmlspecialchars($url, Settings::htmlEntityFlags()) . '" title="' . htmlspecialchars($worksheet->getHyperlink($coordinate)->getTooltip(), Settings::htmlEntityFlags()) . '">' . $cellData . '</a>';
+                }
             }
 
             // Should the cell be written or is it swallowed by a rowspan or colspan?

tests/PhpSpreadsheetTests/Reader/Xlsx/URLImageTest.php

@@ -59,7 +59,7 @@ public function testURLImageSourceNotFound(): void
 
     public function testURLImageSourceBadProtocol(): void
     {
-        $filename = realpath(__DIR__ . '/../../../data/Reader/XLSX/urlImage.bad.xlsx');
+        $filename = realpath(__DIR__ . '/../../../data/Reader/XLSX/urlImage.bad.dontuse');
         self::assertNotFalse($filename);
         $this->expectException(SpreadsheetException::class);
         $this->expectExceptionMessage('Invalid protocol for linked drawing');

tests/PhpSpreadsheetTests/Writer/Html/NoJavascriptLinksTest.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Cell\Hyperlink;
+use PhpOffice\PhpSpreadsheet\Spreadsheet;
+use PhpOffice\PhpSpreadsheet\Writer\Html;
+use PHPUnit\Framework\TestCase;
+
+class NoJavascriptLinksTest extends TestCase
+{
+    public function testNoJavascriptLinks(): void
+    {
+        $spreadsheet = new Spreadsheet();
+        $sheet = $spreadsheet->getActiveSheet();
+        $sheet->getCell('A1')->setValue('Click me');
+        $hyperlink = new Hyperlink('http://www.example.com');
+        $sheet->getCell('A1')->setHyperlink($hyperlink);
+        $sheet->getCell('A2')->setValue('JS link');
+        $hyperlink2 = new Hyperlink('javascript:alert(\'hello1\')');
+        $sheet->getCell('A2')->setHyperlink($hyperlink2);
+        $sheet->getCell('A3')->setValue('=HYPERLINK("javascript:alert(\'hello2\')", "jsfunc click")');
+
+        $writer = new Html($spreadsheet);
+        $html = $writer->generateHTMLAll();
+        self::assertStringContainsString('<td class="column0 style0 s"><a href="http://www.example.com" title="">Click me</a></td>', $html, 'http hyperlink retained');
+        self::assertStringContainsString('<td class="column0 style0 s">javascript:alert(\'hello1\')</td>', $html, 'javascript hyperlink dropped');
+        self::assertStringContainsString('<td class="column0 style0 f">javascript:alert(\'hello2\')</td>', $html, 'javascript hyperlink function dropped');
+        $spreadsheet->disconnectWorksheets();
+    }
+}