Merge branch 'master' into deprecations

oleibman · web-flow · commit 6d8fc6751244 · 2025-08-02T19:07:45.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org). Thia is a
 
 ### Breaking Changes
 
+- Images will be loaded from an external source (e.g. http://example.com/img.png) only if the reader is explicitly set to allow it via `$reader->setAllowExternalImages(true)`. We do not believe that loading of external images is a widely used feature.
 - Deletion of items deprecated in Release 4. See "removed" below.
+- Move some properties from Base Reader to Html Reader. [PR #4551](https://github.com/PHPOffice/PhpSpreadsheet/pull/4551)
+- DefaultValueBinder will treat integers with more than 15 digits as strings. [Issue #4522](https://github.com/PHPOffice/PhpSpreadsheet/issues/4522) [PR #4527](https://github.com/PHPOffice/PhpSpreadsheet/pull/4527)
 
 ### Added
 
diff --git a/docs/references/features-cross-reference.md b/docs/references/features-cross-reference.md
@@ -1028,7 +1028,7 @@
 6. <span id="footnote6">There is very limited support for reading styles from an Ods spreadsheet. Writing styles has better support, although Number Format is incomplete.</span>
 7. <span id="footnote7">In most cases, Html reader processes only inline styles; styles provided by Css classes may be ignored.</span>
 8. <span id="footnote8">Code must [opt in](../topics/recipes.md#array-formulas) to array output.</span>
-9. <span id="footnote9">Starting with release 4.5, code can allow or not external images. In release 4.5 (and in earlier releases which do not offer an option), default is to allow it.</span>
+9. <span id="footnote9">Use with caution - allowing external images may can subject the caller to security exploits. Starting with release 4.5.0 (also earlier releases 3.9.3, 2.3.10, 2.1.11, and 1.29.12), code can allow or not external images. In those starting releases, and in earlier releases which do not offer an option, default is to allow it. In release 5+ (and earlier supported versions 1.30+, 2.1.12+, 2.4+, and 3.10+), the default is to not allow it.</span>
 
 ## Writers
 
diff --git a/src/PhpSpreadsheet/Cell/DefaultValueBinder.php b/src/PhpSpreadsheet/Cell/DefaultValueBinder.php
@@ -2,6 +2,7 @@
 
 namespace PhpOffice\PhpSpreadsheet\Cell;
 
+use Composer\Pcre\Preg;
 use DateTimeInterface;
 use PhpOffice\PhpSpreadsheet\Calculation\Calculation;
 use PhpOffice\PhpSpreadsheet\Calculation\Exception as CalculationException;
@@ -12,6 +13,9 @@
 
 class DefaultValueBinder implements IValueBinder
 {
+    //                            123 456 789 012 345
+    private const FIFTEEN_NINES = 999_999_999_999_999;
+
     /**
      * Bind value to a cell.
      *
@@ -49,6 +53,9 @@ public static function dataTypeForValue(mixed $value): string
         if ($value === null) {
             return DataType::TYPE_NULL;
         }
+        if (is_int($value) && abs($value) > self::FIFTEEN_NINES) {
+            return DataType::TYPE_STRING;
+        }
         if (is_float($value) || is_int($value)) {
             return DataType::TYPE_NUMERIC;
         }
@@ -89,13 +96,18 @@ public static function dataTypeForValue(mixed $value): string
 
             return DataType::TYPE_FORMULA;
         }
-        if (preg_match('/^[\+\-]?(\d+\.?\d*|\d*\.?\d+)([Ee][\-\+]?[0-2]?\d{1,3})?$/', $value)) {
+        if (Preg::isMatch('/^[\+\-]?(\d+\.?\d*|\d*\.?\d+)([Ee][\-\+]?[0-2]?\d{1,3})?$/', $value)) {
             $tValue = ltrim($value, '+-');
             if (strlen($tValue) > 1 && $tValue[0] === '0' && $tValue[1] !== '.') {
                 return DataType::TYPE_STRING;
-            } elseif ((!str_contains($value, '.')) && ($value > PHP_INT_MAX)) {
-                return DataType::TYPE_STRING;
-            } elseif (!is_numeric($value)) {
+            }
+            if (!Preg::isMatch('/[eE.]/', $value)) {
+                $aValue = abs((float) $value);
+                if ($aValue > self::FIFTEEN_NINES) {
+                    return DataType::TYPE_STRING;
+                }
+            }
+            if (!is_numeric($value)) {
                 return DataType::TYPE_STRING;
             }
 
diff --git a/src/PhpSpreadsheet/Reader/BaseReader.php b/src/PhpSpreadsheet/Reader/BaseReader.php
@@ -52,7 +52,7 @@ abstract class BaseReader implements IReader
      * Improper specification of these within a spreadsheet
      * can subject the caller to security exploits.
      */
-    protected bool $allowExternalImages = true;
+    protected bool $allowExternalImages = false;
 
     /**
      * IReadFilter instance.
diff --git a/src/PhpSpreadsheet/Writer/BaseWriter.php b/src/PhpSpreadsheet/Writer/BaseWriter.php
@@ -2,8 +2,6 @@
 
 namespace PhpOffice\PhpSpreadsheet\Writer;
 
-use PhpOffice\PhpSpreadsheet\Exception as PhpSpreadsheetException;
-
 abstract class BaseWriter implements IWriter
 {
     /**
@@ -19,18 +17,6 @@ abstract class BaseWriter implements IWriter
      */
     protected bool $preCalculateFormulas = true;
 
-    /**
-     * Table formats
-     * Enables table formats in writer, disabled here, must be enabled in writer via a setter.
-     */
-    protected bool $tableFormats = false;
-
-    /**
-     * Conditional Formatting
-     * Enables conditional formatting in writer, disabled here, must be enabled in writer via a setter.
-     */
-    protected bool $conditionalFormatting = false;
-
     /**
      * Use disk caching where possible?
      */
@@ -72,34 +58,6 @@ public function setPreCalculateFormulas(bool $precalculateFormulas): self
         return $this;
     }
 
-    public function getTableFormats(): bool
-    {
-        return $this->tableFormats;
-    }
-
-    public function setTableFormats(bool $tableFormats): self
-    {
-        if ($tableFormats) {
-            throw new PhpSpreadsheetException('Table formatting not implemented for this writer');
-        }
-
-        return $this;
-    }
-
-    public function getConditionalFormatting(): bool
-    {
-        return $this->conditionalFormatting;
-    }
-
-    public function setConditionalFormatting(bool $conditionalFormatting): self
-    {
-        if ($conditionalFormatting) {
-            throw new PhpSpreadsheetException('Conditional Formatting not implemented for this writer');
-        }
-
-        return $this;
-    }
-
     public function getUseDiskCaching(): bool
     {
         return $this->useDiskCaching;
diff --git a/src/PhpSpreadsheet/Writer/Html.php b/src/PhpSpreadsheet/Writer/Html.php
@@ -162,6 +162,18 @@ class Html extends BaseWriter
 
     protected bool $ltrSheets = false;
 
+    /**
+     * Table formats
+     * Enables table formats in writer, disabled here, must be enabled in writer via a setter.
+     */
+    protected bool $tableFormats = false;
+
+    /**
+     * Conditional Formatting
+     * Enables conditional formatting in writer, disabled here, must be enabled in writer via a setter.
+     */
+    protected bool $conditionalFormatting = false;
+
     /**
      * Create a new HTML.
      */
@@ -1935,13 +1947,23 @@ public function setUseInlineCss(bool $useInlineCss): static
         return $this;
     }
 
+    public function getTableFormats(): bool
+    {
+        return $this->tableFormats;
+    }
+
     public function setTableFormats(bool $tableFormats): self
     {
         $this->tableFormats = $tableFormats;
 
         return $this;
     }
 
+    public function getConditionalFormatting(): bool
+    {
+        return $this->conditionalFormatting;
+    }
+
     public function setConditionalFormatting(bool $conditionalFormatting): self
     {
         $this->conditionalFormatting = $conditionalFormatting;
diff --git a/tests/PhpSpreadsheetTests/Reader/Html/HtmlImage2Test.php b/tests/PhpSpreadsheetTests/Reader/Html/HtmlImage2Test.php
@@ -5,12 +5,19 @@
 namespace PhpOffice\PhpSpreadsheetTests\Reader\Html;
 
 use PhpOffice\PhpSpreadsheet\Exception as SpreadsheetException;
+use PhpOffice\PhpSpreadsheet\Reader\Html as HtmlReader;
 use PhpOffice\PhpSpreadsheet\Worksheet\Drawing;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\TestCase;
 
 class HtmlImage2Test extends TestCase
 {
+    public function testDefault(): void
+    {
+        $reader = new HtmlReader();
+        self::assertFalse($reader->getAllowExternalImages());
+    }
+
     public function testCanInsertImageGoodProtocolAllowed(): void
     {
         if (getenv('SKIP_URL_IMAGE_TEST') === '1') {
diff --git a/tests/PhpSpreadsheetTests/Reader/Xlsx/URLImageTest.php b/tests/PhpSpreadsheetTests/Reader/Xlsx/URLImageTest.php
@@ -6,12 +6,19 @@
 
 use PhpOffice\PhpSpreadsheet\Exception as SpreadsheetException;
 use PhpOffice\PhpSpreadsheet\IOFactory;
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
 use PhpOffice\PhpSpreadsheet\Worksheet\Drawing;
 use PhpOffice\PhpSpreadsheetTests\Reader\Utility\File;
 use PHPUnit\Framework\TestCase;
 
 class URLImageTest extends TestCase
 {
+    public function testDefault(): void
+    {
+        $reader = new XlsxReader();
+        self::assertFalse($reader->getAllowExternalImages());
+    }
+
     public function testURLImageSourceAllowed(): void
     {
         if (getenv('SKIP_URL_IMAGE_TEST') === '1') {
diff --git a/tests/PhpSpreadsheetTests/Writer/Xlsx/FloatsRetainedTest.php b/tests/PhpSpreadsheetTests/Writer/Xlsx/FloatsRetainedTest.php
@@ -8,16 +8,21 @@
 use PhpOffice\PhpSpreadsheet\Shared\File;
 use PhpOffice\PhpSpreadsheet\Spreadsheet;
 use PhpOffice\PhpSpreadsheet\Writer\Xlsx as Writer;
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\TestCase;
 
 class FloatsRetainedTest extends TestCase
 {
-    #[\PHPUnit\Framework\Attributes\DataProvider('providerIntyFloatsRetainedByWriter')]
-    public function testIntyFloatsRetainedByWriter(float|int $value): void
+    #[DataProvider('providerIntyFloatsRetainedByWriter')]
+    public function testIntyFloatsRetainedByWriter(float|int $value, mixed $expected = null): void
     {
+        if ($expected === null) {
+            $expected = $value;
+        }
         $outputFilename = File::temporaryFilename();
         $spreadsheet = new Spreadsheet();
-        $spreadsheet->getActiveSheet()->getCell('A1')->setValue($value);
+        $spreadsheet->getActiveSheet()
+            ->getCell('A1')->setValue($value);
 
         $writer = new Writer($spreadsheet);
         $writer->save($outputFilename);
@@ -27,7 +32,11 @@ public function testIntyFloatsRetainedByWriter(float|int $value): void
         $spreadsheet2 = $reader->load($outputFilename);
         unlink($outputFilename);
 
-        self::assertSame($value, $spreadsheet2->getActiveSheet()->getCell('A1')->getValue());
+        self::assertSame(
+            $expected,
+            $spreadsheet2->getActiveSheet()
+                ->getCell('A1')->getValue()
+        );
         $spreadsheet2->disconnectWorksheets();
     }
 
@@ -44,10 +53,10 @@ public static function providerIntyFloatsRetainedByWriter(): array
             [1.3e-10],
             [1e10],
             [3.00000000000000000001],
-            [99999999999999999],
-            [99999999999999999.0],
-            [999999999999999999999999999999999999999999],
-            [999999999999999999999999999999999999999999.0],
+            'int but too much precision for Excel' => [99_999_999_999_999_999, '99999999999999999'],
+            [99_999_999_999_999_999.0],
+            'int > PHP_INT_MAX so stored as float' => [999_999_999_999_999_999_999_999_999_999_999_999_999_999],
+            [999_999_999_999_999_999_999_999_999_999_999_999_999_999.0],
         ];
     }
 }
