PHPOffice
diff --git a/‎CHANGELOG.md
Lines changed: 2 additions & 1 deletion b/‎CHANGELOG.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/PhpSpreadsheet/Writer/Html.php
Lines changed: 5 additions & 4 deletions b/‎src/PhpSpreadsheet/Writer/Html.php
Lines changed: 5 additions & 4 deletions
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php
Lines changed: 23 additions & 0 deletions b/‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php
Lines changed: 23 additions & 0 deletions
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php
Lines changed: 23 additions & 0 deletions b/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php
Lines changed: 23 additions & 0 deletions
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php
Lines changed: 23 additions & 0 deletions b/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php
Lines changed: 23 additions & 0 deletions
diff --git a/‎tests/data/Reader/XLSX/sec-j47r.dontuse
8.68 KB b/‎tests/data/Reader/XLSX/sec-j47r.dontuse
8.68 KB
diff --git a/‎tests/data/Reader/XLSX/sec-p66w.dontuse
8.11 KB b/‎tests/data/Reader/XLSX/sec-p66w.dontuse
8.11 KB
diff --git a/‎tests/data/Reader/XLSX/sec-q229.dontuse
8.73 KB b/‎tests/data/Reader/XLSX/sec-q229.dontuse
8.73 KB
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com)
 and this project adheres to [Semantic Versioning](https://semver.org).
 
-# TBD - 2.3.5
+# 2024-12-26 - 2.3.5
 
 ### Deprecated
 
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org).
 
 - More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
 - Backported security patches for Samples.
+- Backported security patches for Html Writer.
 
 ## 2024-12-08 - 2.3.4
 
 
@@ -392,12 +392,12 @@ public function generateHTMLHeader(bool $includeStyles = false): string
                 } else {
                     $propertyValue = (string) $propertyValue;
                 }
-                $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");
+                $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));
             }
         }
 
         if (!empty($properties->getHyperlinkBase())) {
-            $html .= '      <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;
+            $html .= '      <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;
         }
 
         $html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);
@@ -1526,8 +1526,9 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri
             // Hyperlink?
             if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {
                 $url = $worksheet->getHyperlink($coordinate)->getUrl();
-                $urldecode = strtolower(html_entity_decode(trim($url), encoding: 'UTF-8'));
-                $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);
+                $urlDecode1 = html_entity_decode($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+                $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;
+                $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);
                 if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {
                     $cellData = htmlspecialchars($url, Settings::htmlEntityFlags());
                 } else {
 
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadCustomPropertyTest extends TestCase
+{
+    public function testBadCustomProperty(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-q229.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<meta name="custom.string.custom_property&quot;&gt;&lt;img src=1 onerror=alert()&gt;" content="test" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkBaseTest extends TestCase
+{
+    public function testBadHyperlinkBase(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-p66w.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<base href="&quot;&gt;&lt;img src=1 onerror=alert()&gt;" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkTest extends TestCase
+{
+    public function testBadHyperlink(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-j47r.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString("<td class=\"column0 style1 f\">jav\tascript:alert()</td>", $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -392,12 +392,12 @@ public function generateHTMLHeader(bool $includeStyles = false): string`
`392`	`392`	`} else {`
`393`	`393`	`$propertyValue = (string) $propertyValue;`
`394`	`394`	`}`
`395`		`- $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");`
	`395`	`+ $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));`
`396`	`396`	`}`
`397`	`397`	`}`
`398`	`398`
`399`	`399`	`if (!empty($properties->getHyperlinkBase())) {`
`400`		`- $html .= ' <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;`
	`400`	`+ $html .= ' <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;`
`401`	`401`	`}`
`402`	`402`
`403`	`403`	`$html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);`
`@@ -1526,8 +1526,9 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri`
`1526`	`1526`	`// Hyperlink?`
`1527`	`1527`	`if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {`
`1528`	`1528`	`$url = $worksheet->getHyperlink($coordinate)->getUrl();`
`1529`		`- $urldecode = strtolower(html_entity_decode(trim($url), encoding: 'UTF-8'));`
`1530`		`- $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);`
	`1529`	`+ $urlDecode1 = html_entity_decode($url, ENT_QUOTES \| ENT_SUBSTITUTE, 'UTF-8');`
	`1530`	`+ $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;`
	`1531`	`+ $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);`
`1531`	`1532`	`if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {`
`1532`	`1533`	`$cellData = htmlspecialchars($url, Settings::htmlEntityFlags());`
`1533`	`1534`	`} else {`