Backported Security Patch

oleibman · oleibman · commit 089ffdfc04b5 · 2025-01-11T19:16:27.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,14 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com)
 and this project adheres to [Semantic Versioning](https://semver.org).
 
-# TBD - 1.29.8
+# 2025-01-11 - 1.29.8
 
 ### Deprecated
 
 - Worksheet::getHashCode is no longer needed.
 
 ### Fixed
 
+- Backported security patch for Html navigation.
 - Change hash code for worksheet. Backport of [PR #4207](https://github.com/PHPOffice/PhpSpreadsheet/pull/4207)
 - Retitling cloned worksheets. Backport of [PR #4302](https://github.com/PHPOffice/PhpSpreadsheet/pull/4302)
 
diff --git a/src/PhpSpreadsheet/Writer/Html.php b/src/PhpSpreadsheet/Writer/Html.php
@@ -563,7 +563,7 @@ public function generateNavigation()
             $html .= '<ul class="navigation">' . PHP_EOL;
 
             foreach ($sheets as $sheet) {
-                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;
+                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . htmlspecialchars($sheet->getTitle()) . '</a></li>' . PHP_EOL;
                 ++$sheetId;
             }
 
diff --git a/tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php b/tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Spreadsheet;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class NavigationBadTitleTest extends TestCase
+{
+    public function testNavigationTitle(): void
+    {
+        $spreadsheet = new Spreadsheet();
+        $sheet = $spreadsheet->getActiveSheet();
+        $sheet->getCell('A1')->setValue(1);
+        $sheet2 = $spreadsheet->createSheet();
+        $sheet2->setTitle('<img src=x onerror=alert(1)>');
+        $sheet2->getCell('A2')->setValue(2);
+
+        $writer = new HtmlWriter($spreadsheet);
+        $writer->writeAllSheets();
+        $html = $writer->generateHTMLAll();
+        $expected = '<ul class="navigation">'
+            . PHP_EOL
+            . '  <li class="sheet0"><a href="#sheet0">Worksheet</a></li>'
+            . PHP_EOL
+            . '  <li class="sheet1"><a href="#sheet1">&lt;img src=x onerror=alert(1)&gt;</a></li>'
+            . PHP_EOL
+            . '</ul>';
+        self::assertStringContainsString($expected, $html, 'appropriate characters are escaped');
+        $spreadsheet->disconnectWorksheets();
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -563,7 +563,7 @@ public function generateNavigation()`
`563`	`563`	`$html .= '<ul class="navigation">' . PHP_EOL;`
`564`	`564`
`565`	`565`	`foreach ($sheets as $sheet) {`
`566`		`- $html .= ' <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;`
	`566`	`+ $html .= ' <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . htmlspecialchars($sheet->getTitle()) . '</a></li>' . PHP_EOL;`
`567`	`567`	`++$sheetId;`
`568`	`568`	`}`
`569`	`569`