Merge commit from fork

oleibman · web-flow · commit 63ccb02ab9ed · 2024-09-13T18:17:30.000-07:00
* Check for Whitespace Around Xml Encoding

* More Tests
diff --git a/src/PhpSpreadsheet/Reader/Security/XmlScanner.php b/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
@@ -51,8 +51,8 @@ private function toUtf8(string $xml): string
     private function findCharSet(string $xml): string
     {
         $patterns = [
-            '/encoding="([^"]*]?)"/',
-            "/encoding='([^']*?)'/",
+            '/encoding\\s*=\\s*"([^"]*]?)"/',
+            "/encoding\\s*=\\s*'([^']*?)'/",
         ];
 
         foreach ($patterns as $pattern) {
diff --git a/tests/PhpSpreadsheetTests/Reader/Security/XmlScannerTest.php b/tests/PhpSpreadsheetTests/Reader/Security/XmlScannerTest.php
@@ -131,4 +131,20 @@ public function testEncodingAllowsMixedCase(): void
         $output = $scanner->scan($input = '<?xml version="1.0" encoding="utf-8"?><foo>bar</foo>');
         self::assertSame($input, $output);
     }
+
+    public function testUtf7Whitespace(): void
+    {
+        $this->expectException(ReaderException::class);
+        $this->expectExceptionMessage('Double-encoded');
+        $reader = new Xlsx();
+        $reader->load('tests/data/Reader/XLSX/utf7white.dontuse');
+    }
+
+    public function testUtf8Entity(): void
+    {
+        $this->expectException(ReaderException::class);
+        $this->expectExceptionMessage('Detected use of ENTITY');
+        $reader = new Xlsx();
+        $reader->load('tests/data/Reader/XLSX/utf8entity.dontuse');
+    }
 }
diff --git a/tests/data/Reader/XLSX/utf7white.dontuse b/tests/data/Reader/XLSX/utf7white.dontuse
diff --git a/tests/data/Reader/XLSX/utf8entity.dontuse b/tests/data/Reader/XLSX/utf8entity.dontuse
diff --git a/tests/data/Reader/Xml/XEETestInvalidUTF-7-whitespace.xml b/tests/data/Reader/Xml/XEETestInvalidUTF-7-whitespace.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding ='UTF-7' standalone="yes"?>
+    +ADw-+ACE-DOCTYPE+ACA-foo+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-toreplace+ACA-+ACI-xxe+AF8-test+ACI-+AD4-+ACA-+AF0-+AD4-+AAo-+ADw-sst+ACA-xmlns+AD0-+ACI-http://schemas.openxmlformats.org/spreadsheetml/2006/main+ACI-+ACA-count+AD0-+ACI-2+ACI-+ACA-uniqueCount+AD0-+ACI-1+ACI-+AD4-+ADw-si+AD4-+ADw-t+AD4-+ACY-toreplace+ADs-+ADw-/t+AD4-+ADw-/si+AD4-+ADw-/sst+AD4-
diff --git a/tests/data/Reader/Xml/XEETestValidUTF-8-whitespace.xml b/tests/data/Reader/Xml/XEETestValidUTF-8-whitespace.xml
@@ -0,0 +1,4 @@
+<?xml version='1.0' encoding = "UTF-8" standalone='yes'?>
+<root>
+	test: Valid
+</root>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+<?xml version="1.0" encoding ='UTF-7' standalone="yes"?>`
	`2`	`+ +ADw-+ACE-DOCTYPE+ACA-foo+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-toreplace+ACA-+ACI-xxe+AF8-test+ACI-+AD4-+ACA-+AF0-+AD4-+AAo-+ADw-sst+ACA-xmlns+AD0-+ACI-http://schemas.openxmlformats.org/spreadsheetml/2006/main+ACI-+ACA-count+AD0-+ACI-2+ACI-+ACA-uniqueCount+AD0-+ACI-1+ACI-+AD4-+ADw-si+AD4-+ADw-t+AD4-+ACY-toreplace+ADs-+ADw-/t+AD4-+ADw-/si+AD4-+ADw-/sst+AD4-`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +<?xml version='1.0' encoding = "UTF-8" standalone='yes'?>
 +<root>
 +	test: Valid
 +</root>