Backported Security Patch

oleibman · oleibman · commit 098b848ee668 · 2025-01-11T19:22:26.000-08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,14 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com)
 and this project adheres to [Semantic Versioning](https://semver.org).
 
-# TBD - 2.3.6
+# 2025-01=11 - 2.3.6
 
 ### Deprecated
 
 - Worksheet::getHashCode is no longer needed.
 
 ### Fixed
 
+- Backported security patch for Html navigation.
 - Change hash code for worksheet. Backport of [PR #4207](https://github.com/PHPOffice/PhpSpreadsheet/pull/4207)
 - Retitling cloned worksheets. Backport of [PR #4302](https://github.com/PHPOffice/PhpSpreadsheet/pull/4302)
 
diff --git a/src/PhpSpreadsheet/Writer/Html.php b/src/PhpSpreadsheet/Writer/Html.php
@@ -550,7 +550,7 @@ public function generateNavigation(): string
             $html .= '<ul class="navigation">' . PHP_EOL;
 
             foreach ($sheets as $sheet) {
-                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;
+                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . htmlspecialchars($sheet->getTitle()) . '</a></li>' . PHP_EOL;
                 ++$sheetId;
             }
 
diff --git a/tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php b/tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Spreadsheet;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class NavigationBadTitleTest extends TestCase
+{
+    public function testNavigationTitle(): void
+    {
+        $spreadsheet = new Spreadsheet();
+        $sheet = $spreadsheet->getActiveSheet();
+        $sheet->getCell('A1')->setValue(1);
+        $sheet2 = $spreadsheet->createSheet();
+        $sheet2->setTitle('<img src=x onerror=alert(1)>');
+        $sheet2->getCell('A2')->setValue(2);
+
+        $writer = new HtmlWriter($spreadsheet);
+        $writer->writeAllSheets();
+        $html = $writer->generateHTMLAll();
+        $expected = '<ul class="navigation">'
+            . PHP_EOL
+            . '  <li class="sheet0"><a href="#sheet0">Worksheet</a></li>'
+            . PHP_EOL
+            . '  <li class="sheet1"><a href="#sheet1">&lt;img src=x onerror=alert(1)&gt;</a></li>'
+            . PHP_EOL
+            . '</ul>';
+        self::assertStringContainsString($expected, $html, 'appropriate characters are escaped');
+        $spreadsheet->disconnectWorksheets();
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -550,7 +550,7 @@ public function generateNavigation(): string`
`550`	`550`	`$html .= '<ul class="navigation">' . PHP_EOL;`
`551`	`551`
`552`	`552`	`foreach ($sheets as $sheet) {`
`553`		`- $html .= ' <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;`
	`553`	`+ $html .= ' <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . htmlspecialchars($sheet->getTitle()) . '</a></li>' . PHP_EOL;`
`554`	`554`	`++$sheetId;`
`555`	`555`	`}`
`556`	`556`