PHPOffice
diff --git a/‎CHANGELOG.md
+2-1 b/‎CHANGELOG.md
+2-1
diff --git a/‎src/PhpSpreadsheet/Writer/Html.php
+5-4 b/‎src/PhpSpreadsheet/Writer/Html.php
+5-4
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php
+23 b/‎tests/PhpSpreadsheetTests/Writer/Html/BadCustomPropertyTest.php
+23
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php
+23 b/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkBaseTest.php
+23
diff --git a/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php
+23 b/‎tests/PhpSpreadsheetTests/Writer/Html/BadHyperlinkTest.php
+23
diff --git a/‎tests/data/Reader/XLSX/sec-j47r.dontuse
8.68 KB b/‎tests/data/Reader/XLSX/sec-j47r.dontuse
8.68 KB
diff --git a/‎tests/data/Reader/XLSX/sec-p66w.dontuse
8.11 KB b/‎tests/data/Reader/XLSX/sec-p66w.dontuse
8.11 KB
diff --git a/‎tests/data/Reader/XLSX/sec-q229.dontuse
8.73 KB b/‎tests/data/Reader/XLSX/sec-q229.dontuse
8.73 KB
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com)
 and this project adheres to [Semantic Versioning](https://semver.org).
 
-# TBD - 2.1.6
+# 2024-12-26 - 2.1.6
 
 ### Deprecated
 
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org).
 
 - More context options may be needed for http(s) image. Backport of [PR #4276](https://github.com/PHPOffice/PhpSpreadsheet/pull/4276)
 - Backported security patches for Samples.
+- Backported security patches for Html Writer.
 
 ## 2024-12-08 - 2.1.5
 
 
@@ -386,12 +386,12 @@ public function generateHTMLHeader(bool $includeStyles = false): string
                 } else {
                     $propertyValue = (string) $propertyValue;
                 }
-                $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");
+                $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));
             }
         }
 
         if (!empty($properties->getHyperlinkBase())) {
-            $html .= '      <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;
+            $html .= '      <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;
         }
 
         $html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);
@@ -1494,8 +1494,9 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri
             // Hyperlink?
             if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {
                 $url = $worksheet->getHyperlink($coordinate)->getUrl();
-                $urldecode = strtolower(html_entity_decode(trim($url), encoding: 'UTF-8'));
-                $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);
+                $urlDecode1 = html_entity_decode($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+                $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;
+                $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);
                 if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {
                     $cellData = htmlspecialchars($url, Settings::htmlEntityFlags());
                 } else {
 
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadCustomPropertyTest extends TestCase
+{
+    public function testBadCustomProperty(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-q229.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<meta name="custom.string.custom_property&quot;&gt;&lt;img src=1 onerror=alert()&gt;" content="test" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkBaseTest extends TestCase
+{
+    public function testBadHyperlinkBase(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-p66w.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString('<base href="&quot;&gt;&lt;img src=1 onerror=alert()&gt;" />', $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Reader\Xlsx as XlsxReader;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class BadHyperlinkTest extends TestCase
+{
+    public function testBadHyperlink(): void
+    {
+        $reader = new XlsxReader();
+        $infile = 'tests/data/Reader/XLSX/sec-j47r.dontuse';
+        $spreadsheet = $reader->load($infile);
+        $writer = new HtmlWriter($spreadsheet);
+        $html = $writer->generateHtmlAll();
+        self::assertStringContainsString("<td class=\"column0 style1 f\">jav\tascript:alert()</td>", $html);
+        $spreadsheet->disconnectWorksheets();
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -386,12 +386,12 @@ public function generateHTMLHeader(bool $includeStyles = false): string`
`386`	`386`	`} else {`
`387`	`387`	`$propertyValue = (string) $propertyValue;`
`388`	`388`	`}`
`389`		`- $html .= self::generateMeta($propertyValue, "custom.$propertyQualifier.$customProperty");`
	`389`	`+ $html .= self::generateMeta($propertyValue, htmlspecialchars("custom.$propertyQualifier.$customProperty"));`
`390`	`390`	`}`
`391`	`391`	`}`
`392`	`392`
`393`	`393`	`if (!empty($properties->getHyperlinkBase())) {`
`394`		`- $html .= ' <base href="' . $properties->getHyperlinkBase() . '" />' . PHP_EOL;`
	`394`	`+ $html .= ' <base href="' . htmlspecialchars($properties->getHyperlinkBase()) . '" />' . PHP_EOL;`
`395`	`395`	`}`
`396`	`396`
`397`	`397`	`$html .= $includeStyles ? $this->generateStyles(true) : $this->generatePageDeclarations(true);`
`@@ -1494,8 +1494,9 @@ private function generateRow(Worksheet $worksheet, array $values, int $row, stri`
`1494`	`1494`	`// Hyperlink?`
`1495`	`1495`	`if ($worksheet->hyperlinkExists($coordinate) && !$worksheet->getHyperlink($coordinate)->isInternal()) {`
`1496`	`1496`	`$url = $worksheet->getHyperlink($coordinate)->getUrl();`
`1497`		`- $urldecode = strtolower(html_entity_decode(trim($url), encoding: 'UTF-8'));`
`1498`		`- $parseScheme = preg_match('/^(\\w+):/', $urldecode, $matches);`
	`1497`	`+ $urlDecode1 = html_entity_decode($url, ENT_QUOTES \| ENT_SUBSTITUTE, 'UTF-8');`
	`1498`	`+ $urlTrim = preg_replace('/^\\s+/u', '', $urlDecode1) ?? $urlDecode1;`
	`1499`	`+ $parseScheme = preg_match('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);`
`1499`	`1500`	`if ($parseScheme === 1 && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 's3'], true)) {`
`1500`	`1501`	`$cellData = htmlspecialchars($url, Settings::htmlEntityFlags());`
`1501`	`1502`	`} else {`