Html Writer Allow mailto

Fix #4316. A security patch white-listed the protocols that could be used in a hyperlink. This PR adds mailto to the list.

Author: oleibman

src/PhpSpreadsheet/Writer/Html.php

@@ -1589,10 +1589,15 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri
                 $urlDecode1 = html_entity_decode($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
                 $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;
                 $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);
-                if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {
+                if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 'mailto', 's3'], true)) {
                     $cellData = htmlspecialchars($url, Settings::htmlEntityFlags());
                 } else {
-                    $cellData = '<a href="' . htmlspecialchars($url, Settings::htmlEntityFlags()) . '" title="' . htmlspecialchars($worksheet->getHyperlink($coordinate)->getTooltip(), Settings::htmlEntityFlags()) . '">' . $cellData . '</a>';
+                    $tooltip = $worksheet->getHyperlink($coordinate)->getTooltip();
+                    $tooltipOut = empty($tooltip) ? '' : (' title="' . htmlspecialchars($tooltip) . '"');
+                    $cellData = '<a href="'
+                        . htmlspecialchars($url) . '"'
+                        . $tooltipOut
+                        . '>' . $cellData . '</a>';
                 }
             }
 

tests/PhpSpreadsheetTests/Writer/Html/MailtoTest.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Spreadsheet;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class MailtoTest extends TestCase
+{
+    public function testBadHyperlink(): void
+    {
+        $spreadsheet = new Spreadsheet();
+        $worksheet = $spreadsheet->getActiveSheet();
+        $worksheet->setCellValue('A1', 'Mail Me!');
+        $worksheet->getCell('A1')
+            ->getHyperlink()
+            ->setUrl('mailto:[email protected]');
+        $worksheet->setCellValue('A2', 'Mail You!');
+        $worksheet->getCell('A2')
+            ->getHyperlink()
+            ->setTooltip('go ahead')
+            ->setUrl('mailto:[email protected]');
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<a href="mailto:[email protected]">Mail Me!</a>', $html);
+        self::assertStringContainsString('<a href="mailto:[email protected]" title="go ahead">Mail You!</a>', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}

tests/PhpSpreadsheetTests/Writer/Html/NoJavascriptLinksTest.php

@@ -25,7 +25,7 @@ public function testNoJavascriptLinks(): void
 
         $writer = new Html($spreadsheet);
         $html = $writer->generateHTMLAll();
-        self::assertStringContainsString('<td class="column0 style0 s"><a href="http://www.example.com" title="">Click me</a></td>', $html, 'http hyperlink retained');
+        self::assertStringContainsString('<td class="column0 style0 s"><a href="http://www.example.com">Click me</a></td>', $html, 'http hyperlink retained');
         self::assertStringContainsString('<td class="column0 style0 s">javascript:alert(\'hello1\')</td>', $html, 'javascript hyperlink dropped');
         self::assertStringContainsString('<td class="column0 style0 f">javascript:alert(\'hello2\')</td>', $html, 'javascript hyperlink function dropped');
         $spreadsheet->disconnectWorksheets();