Merge commit from fork

Author: oleibman

CHANGELOG.md

@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org). Thia is a
 
 ### Breaking Changes
 
-- Nothing yet.
+- Images will be loaded from an external source (e.g. http://example.com/img.png) only if the reader is explicitly set to allow it via `$reader->setAllowExternalImages(true)`. We do not believe that loading of external images is a widely used feature.
 
 ### Added
 

docs/references/features-cross-reference.md

@@ -1028,7 +1028,7 @@
 6. <span id="footnote6">There is very limited support for reading styles from an Ods spreadsheet. Writing styles has better support, although Number Format is incomplete.</span>
 7. <span id="footnote7">In most cases, Html reader processes only inline styles; styles provided by Css classes may be ignored.</span>
 8. <span id="footnote8">Code must [opt in](../topics/recipes.md#array-formulas) to array output.</span>
-9. <span id="footnote9">Starting with release 4.5, code can allow or not external images. In release 4.5 (and in earlier releases which do not offer an option), default is to allow it.</span>
+9. <span id="footnote9">Use with caution - allowing external images may can subject the caller to security exploits. Starting with release 4.5.0 (also earlier releases 3.9.3, 2.3.10, 2.1.11, and 1.29.12), code can allow or not external images. In those starting releases, and in earlier releases which do not offer an option, default is to allow it. In release 5+ (and earlier supported versions 1.30+, 2.1.12+, 2.4+, and 3.10+), the default is to not allow it.</span>
 
 ## Writers
 

src/PhpSpreadsheet/Reader/BaseReader.php

@@ -52,7 +52,7 @@ abstract class BaseReader implements IReader
      * Improper specification of these within a spreadsheet
      * can subject the caller to security exploits.
      */
-    protected bool $allowExternalImages = true;
+    protected bool $allowExternalImages = false;
 
     /**
      * IReadFilter instance.

tests/PhpSpreadsheetTests/Reader/Html/HtmlImage2Test.php

@@ -5,12 +5,19 @@
 namespace PhpOffice\PhpSpreadsheetTests\Reader\Html;
 
 use PhpOffice\PhpSpreadsheet\Exception as SpreadsheetException;
+use PhpOffice\PhpSpreadsheet\Reader\Html as HtmlReader;
 use PhpOffice\PhpSpreadsheet\Worksheet\Drawing;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\TestCase;
 
 class HtmlImage2Test extends TestCase
 {
+    public function testDefault(): void
+    {
+        $reader = new HtmlReader();
+        self::assertFalse($reader->getAllowExternalImages());
+    }
+
     public function testCanInsertImageGoodProtocolAllowed(): void
     {
         if (getenv('SKIP_URL_IMAGE_TEST') === '1') {

tests/PhpSpreadsheetTests/Reader/Xlsx/URLImageTest.php

@@ -6,12 +6,19 @@
 
 use PhpOffice\PhpSpreadsheet\Exception as SpreadsheetException;
 use PhpOffice\PhpSpreadsheet\IOFactory;
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
 use PhpOffice\PhpSpreadsheet\Worksheet\Drawing;
 use PhpOffice\PhpSpreadsheetTests\Reader\Utility\File;
 use PHPUnit\Framework\TestCase;
 
 class URLImageTest extends TestCase
 {
+    public function testDefault(): void
+    {
+        $reader = new XlsxReader();
+        self::assertFalse($reader->getAllowExternalImages());
+    }
+
     public function testURLImageSourceAllowed(): void
     {
         if (getenv('SKIP_URL_IMAGE_TEST') === '1') {