Replace anti-xss with html purifier (#1751)
* Replace voku/anti-xss with ezyang/htmlpurifier. Despite anti-xss being a smaller footprint dependency, an a better license fit with our MIT license, there are issues with it's automatic it sanitisation of global variables causing side effects * Additional unit tests for xss in html writer cell comments
This commit is contained in:
		
							parent
							
								
									957cb62dab
								
							
						
					
					
						commit
						9289ab11b2
					
				| @ -59,7 +59,7 @@ | |||||||
|         "psr/simple-cache": "^1.0", |         "psr/simple-cache": "^1.0", | ||||||
|         "psr/http-client": "^1.0", |         "psr/http-client": "^1.0", | ||||||
|         "psr/http-factory": "^1.0", |         "psr/http-factory": "^1.0", | ||||||
|         "voku/anti-xss": "^4.1" |         "ezyang/htmlpurifier": "^4.13" | ||||||
|     }, |     }, | ||||||
|     "require-dev": { |     "require-dev": { | ||||||
|         "dompdf/dompdf": "^0.8.5", |         "dompdf/dompdf": "^0.8.5", | ||||||
|  | |||||||
							
								
								
									
										845
									
								
								composer.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										845
									
								
								composer.lock
									
									
									
										generated
									
									
									
								
							| @ -4,8 +4,62 @@ | |||||||
|         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", |         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", | ||||||
|         "This file is @generated automatically" |         "This file is @generated automatically" | ||||||
|     ], |     ], | ||||||
|     "content-hash": "209605c0b9329968170279f40db65d22", |     "content-hash": "458fe4e974b469230da589a8781d1e0e", | ||||||
|     "packages": [ |     "packages": [ | ||||||
|  |         { | ||||||
|  |             "name": "ezyang/htmlpurifier", | ||||||
|  |             "version": "v4.13.0", | ||||||
|  |             "source": { | ||||||
|  |                 "type": "git", | ||||||
|  |                 "url": "https://github.com/ezyang/htmlpurifier.git", | ||||||
|  |                 "reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75" | ||||||
|  |             }, | ||||||
|  |             "dist": { | ||||||
|  |                 "type": "zip", | ||||||
|  |                 "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/08e27c97e4c6ed02f37c5b2b20488046c8d90d75", | ||||||
|  |                 "reference": "08e27c97e4c6ed02f37c5b2b20488046c8d90d75", | ||||||
|  |                 "shasum": "" | ||||||
|  |             }, | ||||||
|  |             "require": { | ||||||
|  |                 "php": ">=5.2" | ||||||
|  |             }, | ||||||
|  |             "require-dev": { | ||||||
|  |                 "simpletest/simpletest": "dev-master#72de02a7b80c6bb8864ef9bf66d41d2f58f826bd" | ||||||
|  |             }, | ||||||
|  |             "type": "library", | ||||||
|  |             "autoload": { | ||||||
|  |                 "psr-0": { | ||||||
|  |                     "HTMLPurifier": "library/" | ||||||
|  |                 }, | ||||||
|  |                 "files": [ | ||||||
|  |                     "library/HTMLPurifier.composer.php" | ||||||
|  |                 ], | ||||||
|  |                 "exclude-from-classmap": [ | ||||||
|  |                     "/library/HTMLPurifier/Language/" | ||||||
|  |                 ] | ||||||
|  |             }, | ||||||
|  |             "notification-url": "https://packagist.org/downloads/", | ||||||
|  |             "license": [ | ||||||
|  |                 "LGPL-2.1-or-later" | ||||||
|  |             ], | ||||||
|  |             "authors": [ | ||||||
|  |                 { | ||||||
|  |                     "name": "Edward Z. Yang", | ||||||
|  |                     "email": "admin@htmlpurifier.org", | ||||||
|  |                     "homepage": "http://ezyang.com" | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|  |             "description": "Standards compliant HTML filter written in PHP", | ||||||
|  |             "homepage": "http://htmlpurifier.org/", | ||||||
|  |             "keywords": [ | ||||||
|  |                 "html" | ||||||
|  |             ], | ||||||
|  |             "support": { | ||||||
|  |                 "issues": "https://github.com/ezyang/htmlpurifier/issues", | ||||||
|  |                 "source": "https://github.com/ezyang/htmlpurifier/tree/master" | ||||||
|  |             }, | ||||||
|  |             "time": "2020-06-29T00:56:53+00:00" | ||||||
|  |         }, | ||||||
|         { |         { | ||||||
|             "name": "maennchen/zipstream-php", |             "name": "maennchen/zipstream-php", | ||||||
|             "version": "2.1.0", |             "version": "2.1.0", | ||||||
| @ -477,242 +531,6 @@ | |||||||
|             ], |             ], | ||||||
|             "time": "2017-10-23T01:57:42+00:00" |             "time": "2017-10-23T01:57:42+00:00" | ||||||
|         }, |         }, | ||||||
|         { |  | ||||||
|             "name": "symfony/polyfill-iconv", |  | ||||||
|             "version": "v1.20.0", |  | ||||||
|             "source": { |  | ||||||
|                 "type": "git", |  | ||||||
|                 "url": "https://github.com/symfony/polyfill-iconv.git", |  | ||||||
|                 "reference": "c536646fdb4f29104dd26effc2fdcb9a5b085024" |  | ||||||
|             }, |  | ||||||
|             "dist": { |  | ||||||
|                 "type": "zip", |  | ||||||
|                 "url": "https://api.github.com/repos/symfony/polyfill-iconv/zipball/c536646fdb4f29104dd26effc2fdcb9a5b085024", |  | ||||||
|                 "reference": "c536646fdb4f29104dd26effc2fdcb9a5b085024", |  | ||||||
|                 "shasum": "" |  | ||||||
|             }, |  | ||||||
|             "require": { |  | ||||||
|                 "php": ">=7.1" |  | ||||||
|             }, |  | ||||||
|             "suggest": { |  | ||||||
|                 "ext-iconv": "For best performance" |  | ||||||
|             }, |  | ||||||
|             "type": "library", |  | ||||||
|             "extra": { |  | ||||||
|                 "branch-alias": { |  | ||||||
|                     "dev-main": "1.20-dev" |  | ||||||
|                 }, |  | ||||||
|                 "thanks": { |  | ||||||
|                     "name": "symfony/polyfill", |  | ||||||
|                     "url": "https://github.com/symfony/polyfill" |  | ||||||
|                 } |  | ||||||
|             }, |  | ||||||
|             "autoload": { |  | ||||||
|                 "psr-4": { |  | ||||||
|                     "Symfony\\Polyfill\\Iconv\\": "" |  | ||||||
|                 }, |  | ||||||
|                 "files": [ |  | ||||||
|                     "bootstrap.php" |  | ||||||
|                 ] |  | ||||||
|             }, |  | ||||||
|             "notification-url": "https://packagist.org/downloads/", |  | ||||||
|             "license": [ |  | ||||||
|                 "MIT" |  | ||||||
|             ], |  | ||||||
|             "authors": [ |  | ||||||
|                 { |  | ||||||
|                     "name": "Nicolas Grekas", |  | ||||||
|                     "email": "p@tchwork.com" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "name": "Symfony Community", |  | ||||||
|                     "homepage": "https://symfony.com/contributors" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "description": "Symfony polyfill for the Iconv extension", |  | ||||||
|             "homepage": "https://symfony.com", |  | ||||||
|             "keywords": [ |  | ||||||
|                 "compatibility", |  | ||||||
|                 "iconv", |  | ||||||
|                 "polyfill", |  | ||||||
|                 "portable", |  | ||||||
|                 "shim" |  | ||||||
|             ], |  | ||||||
|             "funding": [ |  | ||||||
|                 { |  | ||||||
|                     "url": "https://symfony.com/sponsor", |  | ||||||
|                     "type": "custom" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://github.com/fabpot", |  | ||||||
|                     "type": "github" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", |  | ||||||
|                     "type": "tidelift" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "time": "2020-10-23T14:02:19+00:00" |  | ||||||
|         }, |  | ||||||
|         { |  | ||||||
|             "name": "symfony/polyfill-intl-grapheme", |  | ||||||
|             "version": "v1.18.1", |  | ||||||
|             "source": { |  | ||||||
|                 "type": "git", |  | ||||||
|                 "url": "https://github.com/symfony/polyfill-intl-grapheme.git", |  | ||||||
|                 "reference": "b740103edbdcc39602239ee8860f0f45a8eb9aa5" |  | ||||||
|             }, |  | ||||||
|             "dist": { |  | ||||||
|                 "type": "zip", |  | ||||||
|                 "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/b740103edbdcc39602239ee8860f0f45a8eb9aa5", |  | ||||||
|                 "reference": "b740103edbdcc39602239ee8860f0f45a8eb9aa5", |  | ||||||
|                 "shasum": "" |  | ||||||
|             }, |  | ||||||
|             "require": { |  | ||||||
|                 "php": ">=5.3.3" |  | ||||||
|             }, |  | ||||||
|             "suggest": { |  | ||||||
|                 "ext-intl": "For best performance" |  | ||||||
|             }, |  | ||||||
|             "type": "library", |  | ||||||
|             "extra": { |  | ||||||
|                 "branch-alias": { |  | ||||||
|                     "dev-master": "1.18-dev" |  | ||||||
|                 }, |  | ||||||
|                 "thanks": { |  | ||||||
|                     "name": "symfony/polyfill", |  | ||||||
|                     "url": "https://github.com/symfony/polyfill" |  | ||||||
|                 } |  | ||||||
|             }, |  | ||||||
|             "autoload": { |  | ||||||
|                 "psr-4": { |  | ||||||
|                     "Symfony\\Polyfill\\Intl\\Grapheme\\": "" |  | ||||||
|                 }, |  | ||||||
|                 "files": [ |  | ||||||
|                     "bootstrap.php" |  | ||||||
|                 ] |  | ||||||
|             }, |  | ||||||
|             "notification-url": "https://packagist.org/downloads/", |  | ||||||
|             "license": [ |  | ||||||
|                 "MIT" |  | ||||||
|             ], |  | ||||||
|             "authors": [ |  | ||||||
|                 { |  | ||||||
|                     "name": "Nicolas Grekas", |  | ||||||
|                     "email": "p@tchwork.com" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "name": "Symfony Community", |  | ||||||
|                     "homepage": "https://symfony.com/contributors" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "description": "Symfony polyfill for intl's grapheme_* functions", |  | ||||||
|             "homepage": "https://symfony.com", |  | ||||||
|             "keywords": [ |  | ||||||
|                 "compatibility", |  | ||||||
|                 "grapheme", |  | ||||||
|                 "intl", |  | ||||||
|                 "polyfill", |  | ||||||
|                 "portable", |  | ||||||
|                 "shim" |  | ||||||
|             ], |  | ||||||
|             "funding": [ |  | ||||||
|                 { |  | ||||||
|                     "url": "https://symfony.com/sponsor", |  | ||||||
|                     "type": "custom" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://github.com/fabpot", |  | ||||||
|                     "type": "github" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", |  | ||||||
|                     "type": "tidelift" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "time": "2020-07-14T12:35:20+00:00" |  | ||||||
|         }, |  | ||||||
|         { |  | ||||||
|             "name": "symfony/polyfill-intl-normalizer", |  | ||||||
|             "version": "v1.18.1", |  | ||||||
|             "source": { |  | ||||||
|                 "type": "git", |  | ||||||
|                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git", |  | ||||||
|                 "reference": "37078a8dd4a2a1e9ab0231af7c6cb671b2ed5a7e" |  | ||||||
|             }, |  | ||||||
|             "dist": { |  | ||||||
|                 "type": "zip", |  | ||||||
|                 "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/37078a8dd4a2a1e9ab0231af7c6cb671b2ed5a7e", |  | ||||||
|                 "reference": "37078a8dd4a2a1e9ab0231af7c6cb671b2ed5a7e", |  | ||||||
|                 "shasum": "" |  | ||||||
|             }, |  | ||||||
|             "require": { |  | ||||||
|                 "php": ">=5.3.3" |  | ||||||
|             }, |  | ||||||
|             "suggest": { |  | ||||||
|                 "ext-intl": "For best performance" |  | ||||||
|             }, |  | ||||||
|             "type": "library", |  | ||||||
|             "extra": { |  | ||||||
|                 "branch-alias": { |  | ||||||
|                     "dev-master": "1.18-dev" |  | ||||||
|                 }, |  | ||||||
|                 "thanks": { |  | ||||||
|                     "name": "symfony/polyfill", |  | ||||||
|                     "url": "https://github.com/symfony/polyfill" |  | ||||||
|                 } |  | ||||||
|             }, |  | ||||||
|             "autoload": { |  | ||||||
|                 "psr-4": { |  | ||||||
|                     "Symfony\\Polyfill\\Intl\\Normalizer\\": "" |  | ||||||
|                 }, |  | ||||||
|                 "files": [ |  | ||||||
|                     "bootstrap.php" |  | ||||||
|                 ], |  | ||||||
|                 "classmap": [ |  | ||||||
|                     "Resources/stubs" |  | ||||||
|                 ] |  | ||||||
|             }, |  | ||||||
|             "notification-url": "https://packagist.org/downloads/", |  | ||||||
|             "license": [ |  | ||||||
|                 "MIT" |  | ||||||
|             ], |  | ||||||
|             "authors": [ |  | ||||||
|                 { |  | ||||||
|                     "name": "Nicolas Grekas", |  | ||||||
|                     "email": "p@tchwork.com" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "name": "Symfony Community", |  | ||||||
|                     "homepage": "https://symfony.com/contributors" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "description": "Symfony polyfill for intl's Normalizer class and related functions", |  | ||||||
|             "homepage": "https://symfony.com", |  | ||||||
|             "keywords": [ |  | ||||||
|                 "compatibility", |  | ||||||
|                 "intl", |  | ||||||
|                 "normalizer", |  | ||||||
|                 "polyfill", |  | ||||||
|                 "portable", |  | ||||||
|                 "shim" |  | ||||||
|             ], |  | ||||||
|             "funding": [ |  | ||||||
|                 { |  | ||||||
|                     "url": "https://symfony.com/sponsor", |  | ||||||
|                     "type": "custom" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://github.com/fabpot", |  | ||||||
|                     "type": "github" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", |  | ||||||
|                     "type": "tidelift" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "time": "2020-07-14T12:35:20+00:00" |  | ||||||
|         }, |  | ||||||
|         { |         { | ||||||
|             "name": "symfony/polyfill-mbstring", |             "name": "symfony/polyfill-mbstring", | ||||||
|             "version": "v1.18.1", |             "version": "v1.18.1", | ||||||
| @ -789,323 +607,6 @@ | |||||||
|                 } |                 } | ||||||
|             ], |             ], | ||||||
|             "time": "2020-07-14T12:35:20+00:00" |             "time": "2020-07-14T12:35:20+00:00" | ||||||
|         }, |  | ||||||
|         { |  | ||||||
|             "name": "symfony/polyfill-php72", |  | ||||||
|             "version": "v1.18.1", |  | ||||||
|             "source": { |  | ||||||
|                 "type": "git", |  | ||||||
|                 "url": "https://github.com/symfony/polyfill-php72.git", |  | ||||||
|                 "reference": "639447d008615574653fb3bc60d1986d7172eaae" |  | ||||||
|             }, |  | ||||||
|             "dist": { |  | ||||||
|                 "type": "zip", |  | ||||||
|                 "url": "https://api.github.com/repos/symfony/polyfill-php72/zipball/639447d008615574653fb3bc60d1986d7172eaae", |  | ||||||
|                 "reference": "639447d008615574653fb3bc60d1986d7172eaae", |  | ||||||
|                 "shasum": "" |  | ||||||
|             }, |  | ||||||
|             "require": { |  | ||||||
|                 "php": ">=5.3.3" |  | ||||||
|             }, |  | ||||||
|             "type": "library", |  | ||||||
|             "extra": { |  | ||||||
|                 "branch-alias": { |  | ||||||
|                     "dev-master": "1.18-dev" |  | ||||||
|                 }, |  | ||||||
|                 "thanks": { |  | ||||||
|                     "name": "symfony/polyfill", |  | ||||||
|                     "url": "https://github.com/symfony/polyfill" |  | ||||||
|                 } |  | ||||||
|             }, |  | ||||||
|             "autoload": { |  | ||||||
|                 "psr-4": { |  | ||||||
|                     "Symfony\\Polyfill\\Php72\\": "" |  | ||||||
|                 }, |  | ||||||
|                 "files": [ |  | ||||||
|                     "bootstrap.php" |  | ||||||
|                 ] |  | ||||||
|             }, |  | ||||||
|             "notification-url": "https://packagist.org/downloads/", |  | ||||||
|             "license": [ |  | ||||||
|                 "MIT" |  | ||||||
|             ], |  | ||||||
|             "authors": [ |  | ||||||
|                 { |  | ||||||
|                     "name": "Nicolas Grekas", |  | ||||||
|                     "email": "p@tchwork.com" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "name": "Symfony Community", |  | ||||||
|                     "homepage": "https://symfony.com/contributors" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "description": "Symfony polyfill backporting some PHP 7.2+ features to lower PHP versions", |  | ||||||
|             "homepage": "https://symfony.com", |  | ||||||
|             "keywords": [ |  | ||||||
|                 "compatibility", |  | ||||||
|                 "polyfill", |  | ||||||
|                 "portable", |  | ||||||
|                 "shim" |  | ||||||
|             ], |  | ||||||
|             "funding": [ |  | ||||||
|                 { |  | ||||||
|                     "url": "https://symfony.com/sponsor", |  | ||||||
|                     "type": "custom" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://github.com/fabpot", |  | ||||||
|                     "type": "github" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", |  | ||||||
|                     "type": "tidelift" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "time": "2020-07-14T12:35:20+00:00" |  | ||||||
|         }, |  | ||||||
|         { |  | ||||||
|             "name": "voku/anti-xss", |  | ||||||
|             "version": "4.1.30", |  | ||||||
|             "source": { |  | ||||||
|                 "type": "git", |  | ||||||
|                 "url": "https://github.com/voku/anti-xss.git", |  | ||||||
|                 "reference": "ff6e54f4a98ad1cd28f8b4a0f3c3f92f3c421f0a" |  | ||||||
|             }, |  | ||||||
|             "dist": { |  | ||||||
|                 "type": "zip", |  | ||||||
|                 "url": "https://api.github.com/repos/voku/anti-xss/zipball/ff6e54f4a98ad1cd28f8b4a0f3c3f92f3c421f0a", |  | ||||||
|                 "reference": "ff6e54f4a98ad1cd28f8b4a0f3c3f92f3c421f0a", |  | ||||||
|                 "shasum": "" |  | ||||||
|             }, |  | ||||||
|             "require": { |  | ||||||
|                 "php": ">=7.0.0", |  | ||||||
|                 "voku/portable-utf8": "~5.4.50" |  | ||||||
|             }, |  | ||||||
|             "require-dev": { |  | ||||||
|                 "phpunit/phpunit": "~6.0 || ~7.0 || ~9.0" |  | ||||||
|             }, |  | ||||||
|             "type": "library", |  | ||||||
|             "extra": { |  | ||||||
|                 "branch-alias": { |  | ||||||
|                     "dev-master": "4.1.x-dev" |  | ||||||
|                 } |  | ||||||
|             }, |  | ||||||
|             "autoload": { |  | ||||||
|                 "psr-4": { |  | ||||||
|                     "voku\\helper\\": "src/voku/helper/" |  | ||||||
|                 } |  | ||||||
|             }, |  | ||||||
|             "notification-url": "https://packagist.org/downloads/", |  | ||||||
|             "license": [ |  | ||||||
|                 "MIT" |  | ||||||
|             ], |  | ||||||
|             "authors": [ |  | ||||||
|                 { |  | ||||||
|                     "name": "EllisLab Dev Team", |  | ||||||
|                     "homepage": "http://ellislab.com/" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "name": "Lars Moelleken", |  | ||||||
|                     "email": "lars@moelleken.org", |  | ||||||
|                     "homepage": "http://www.moelleken.org/" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "description": "anti xss-library", |  | ||||||
|             "homepage": "https://github.com/voku/anti-xss", |  | ||||||
|             "keywords": [ |  | ||||||
|                 "anti-xss", |  | ||||||
|                 "clean", |  | ||||||
|                 "security", |  | ||||||
|                 "xss" |  | ||||||
|             ], |  | ||||||
|             "funding": [ |  | ||||||
|                 { |  | ||||||
|                     "url": "https://www.paypal.me/moelleken", |  | ||||||
|                     "type": "custom" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://github.com/voku", |  | ||||||
|                     "type": "github" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://opencollective.com/anti-xss", |  | ||||||
|                     "type": "open_collective" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://www.patreon.com/voku", |  | ||||||
|                     "type": "patreon" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://tidelift.com/funding/github/packagist/voku/anti-xss", |  | ||||||
|                     "type": "tidelift" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "time": "2020-11-12T00:30:57+00:00" |  | ||||||
|         }, |  | ||||||
|         { |  | ||||||
|             "name": "voku/portable-ascii", |  | ||||||
|             "version": "1.5.6", |  | ||||||
|             "source": { |  | ||||||
|                 "type": "git", |  | ||||||
|                 "url": "https://github.com/voku/portable-ascii.git", |  | ||||||
|                 "reference": "80953678b19901e5165c56752d087fc11526017c" |  | ||||||
|             }, |  | ||||||
|             "dist": { |  | ||||||
|                 "type": "zip", |  | ||||||
|                 "url": "https://api.github.com/repos/voku/portable-ascii/zipball/80953678b19901e5165c56752d087fc11526017c", |  | ||||||
|                 "reference": "80953678b19901e5165c56752d087fc11526017c", |  | ||||||
|                 "shasum": "" |  | ||||||
|             }, |  | ||||||
|             "require": { |  | ||||||
|                 "php": ">=7.0.0" |  | ||||||
|             }, |  | ||||||
|             "require-dev": { |  | ||||||
|                 "phpunit/phpunit": "~6.0 || ~7.0 || ~9.0" |  | ||||||
|             }, |  | ||||||
|             "suggest": { |  | ||||||
|                 "ext-intl": "Use Intl for transliterator_transliterate() support" |  | ||||||
|             }, |  | ||||||
|             "type": "library", |  | ||||||
|             "autoload": { |  | ||||||
|                 "psr-4": { |  | ||||||
|                     "voku\\": "src/voku/" |  | ||||||
|                 } |  | ||||||
|             }, |  | ||||||
|             "notification-url": "https://packagist.org/downloads/", |  | ||||||
|             "license": [ |  | ||||||
|                 "MIT" |  | ||||||
|             ], |  | ||||||
|             "authors": [ |  | ||||||
|                 { |  | ||||||
|                     "name": "Lars Moelleken", |  | ||||||
|                     "homepage": "http://www.moelleken.org/" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "description": "Portable ASCII library - performance optimized (ascii) string functions for php.", |  | ||||||
|             "homepage": "https://github.com/voku/portable-ascii", |  | ||||||
|             "keywords": [ |  | ||||||
|                 "ascii", |  | ||||||
|                 "clean", |  | ||||||
|                 "php" |  | ||||||
|             ], |  | ||||||
|             "funding": [ |  | ||||||
|                 { |  | ||||||
|                     "url": "https://www.paypal.me/moelleken", |  | ||||||
|                     "type": "custom" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://github.com/voku", |  | ||||||
|                     "type": "github" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://opencollective.com/portable-ascii", |  | ||||||
|                     "type": "open_collective" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://www.patreon.com/voku", |  | ||||||
|                     "type": "patreon" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://tidelift.com/funding/github/packagist/voku/portable-ascii", |  | ||||||
|                     "type": "tidelift" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "time": "2020-11-12T00:07:28+00:00" |  | ||||||
|         }, |  | ||||||
|         { |  | ||||||
|             "name": "voku/portable-utf8", |  | ||||||
|             "version": "5.4.50", |  | ||||||
|             "source": { |  | ||||||
|                 "type": "git", |  | ||||||
|                 "url": "https://github.com/voku/portable-utf8.git", |  | ||||||
|                 "reference": "f14ed68ea9ced6639e71ca989c6d907892115ba0" |  | ||||||
|             }, |  | ||||||
|             "dist": { |  | ||||||
|                 "type": "zip", |  | ||||||
|                 "url": "https://api.github.com/repos/voku/portable-utf8/zipball/f14ed68ea9ced6639e71ca989c6d907892115ba0", |  | ||||||
|                 "reference": "f14ed68ea9ced6639e71ca989c6d907892115ba0", |  | ||||||
|                 "shasum": "" |  | ||||||
|             }, |  | ||||||
|             "require": { |  | ||||||
|                 "php": ">=7.0.0", |  | ||||||
|                 "symfony/polyfill-iconv": "~1.0", |  | ||||||
|                 "symfony/polyfill-intl-grapheme": "~1.0", |  | ||||||
|                 "symfony/polyfill-intl-normalizer": "~1.0", |  | ||||||
|                 "symfony/polyfill-mbstring": "~1.0", |  | ||||||
|                 "symfony/polyfill-php72": "~1.0", |  | ||||||
|                 "voku/portable-ascii": "~1.5.6" |  | ||||||
|             }, |  | ||||||
|             "require-dev": { |  | ||||||
|                 "phpunit/phpunit": "~6.0 || ~7.0 || ~9.0" |  | ||||||
|             }, |  | ||||||
|             "suggest": { |  | ||||||
|                 "ext-ctype": "Use Ctype for e.g. hexadecimal digit detection", |  | ||||||
|                 "ext-fileinfo": "Use Fileinfo for better binary file detection", |  | ||||||
|                 "ext-iconv": "Use iconv for best performance", |  | ||||||
|                 "ext-intl": "Use Intl for best performance", |  | ||||||
|                 "ext-json": "Use JSON for string detection", |  | ||||||
|                 "ext-mbstring": "Use Mbstring for best performance" |  | ||||||
|             }, |  | ||||||
|             "type": "library", |  | ||||||
|             "autoload": { |  | ||||||
|                 "psr-4": { |  | ||||||
|                     "voku\\": "src/voku/" |  | ||||||
|                 }, |  | ||||||
|                 "files": [ |  | ||||||
|                     "bootstrap.php" |  | ||||||
|                 ] |  | ||||||
|             }, |  | ||||||
|             "notification-url": "https://packagist.org/downloads/", |  | ||||||
|             "license": [ |  | ||||||
|                 "(Apache-2.0 or GPL-2.0)" |  | ||||||
|             ], |  | ||||||
|             "authors": [ |  | ||||||
|                 { |  | ||||||
|                     "name": "Nicolas Grekas", |  | ||||||
|                     "email": "p@tchwork.com" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "name": "Hamid Sarfraz", |  | ||||||
|                     "homepage": "http://pageconfig.com/" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "name": "Lars Moelleken", |  | ||||||
|                     "homepage": "http://www.moelleken.org/" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "description": "Portable UTF-8 library - performance optimized (unicode) string functions for php.", |  | ||||||
|             "homepage": "https://github.com/voku/portable-utf8", |  | ||||||
|             "keywords": [ |  | ||||||
|                 "UTF", |  | ||||||
|                 "clean", |  | ||||||
|                 "php", |  | ||||||
|                 "unicode", |  | ||||||
|                 "utf-8", |  | ||||||
|                 "utf8" |  | ||||||
|             ], |  | ||||||
|             "funding": [ |  | ||||||
|                 { |  | ||||||
|                     "url": "https://www.paypal.me/moelleken", |  | ||||||
|                     "type": "custom" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://github.com/voku", |  | ||||||
|                     "type": "github" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://opencollective.com/portable-utf8", |  | ||||||
|                     "type": "open_collective" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://www.patreon.com/voku", |  | ||||||
|                     "type": "patreon" |  | ||||||
|                 }, |  | ||||||
|                 { |  | ||||||
|                     "url": "https://tidelift.com/funding/github/packagist/voku/portable-utf8", |  | ||||||
|                     "type": "tidelift" |  | ||||||
|                 } |  | ||||||
|             ], |  | ||||||
|             "time": "2020-11-12T00:17:47+00:00" |  | ||||||
|         } |         } | ||||||
|     ], |     ], | ||||||
|     "packages-dev": [ |     "packages-dev": [ | ||||||
| @ -4150,6 +3651,165 @@ | |||||||
|             ], |             ], | ||||||
|             "time": "2020-07-14T12:35:20+00:00" |             "time": "2020-07-14T12:35:20+00:00" | ||||||
|         }, |         }, | ||||||
|  |         { | ||||||
|  |             "name": "symfony/polyfill-intl-grapheme", | ||||||
|  |             "version": "v1.18.1", | ||||||
|  |             "source": { | ||||||
|  |                 "type": "git", | ||||||
|  |                 "url": "https://github.com/symfony/polyfill-intl-grapheme.git", | ||||||
|  |                 "reference": "b740103edbdcc39602239ee8860f0f45a8eb9aa5" | ||||||
|  |             }, | ||||||
|  |             "dist": { | ||||||
|  |                 "type": "zip", | ||||||
|  |                 "url": "https://api.github.com/repos/symfony/polyfill-intl-grapheme/zipball/b740103edbdcc39602239ee8860f0f45a8eb9aa5", | ||||||
|  |                 "reference": "b740103edbdcc39602239ee8860f0f45a8eb9aa5", | ||||||
|  |                 "shasum": "" | ||||||
|  |             }, | ||||||
|  |             "require": { | ||||||
|  |                 "php": ">=5.3.3" | ||||||
|  |             }, | ||||||
|  |             "suggest": { | ||||||
|  |                 "ext-intl": "For best performance" | ||||||
|  |             }, | ||||||
|  |             "type": "library", | ||||||
|  |             "extra": { | ||||||
|  |                 "branch-alias": { | ||||||
|  |                     "dev-master": "1.18-dev" | ||||||
|  |                 }, | ||||||
|  |                 "thanks": { | ||||||
|  |                     "name": "symfony/polyfill", | ||||||
|  |                     "url": "https://github.com/symfony/polyfill" | ||||||
|  |                 } | ||||||
|  |             }, | ||||||
|  |             "autoload": { | ||||||
|  |                 "psr-4": { | ||||||
|  |                     "Symfony\\Polyfill\\Intl\\Grapheme\\": "" | ||||||
|  |                 }, | ||||||
|  |                 "files": [ | ||||||
|  |                     "bootstrap.php" | ||||||
|  |                 ] | ||||||
|  |             }, | ||||||
|  |             "notification-url": "https://packagist.org/downloads/", | ||||||
|  |             "license": [ | ||||||
|  |                 "MIT" | ||||||
|  |             ], | ||||||
|  |             "authors": [ | ||||||
|  |                 { | ||||||
|  |                     "name": "Nicolas Grekas", | ||||||
|  |                     "email": "p@tchwork.com" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "name": "Symfony Community", | ||||||
|  |                     "homepage": "https://symfony.com/contributors" | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|  |             "description": "Symfony polyfill for intl's grapheme_* functions", | ||||||
|  |             "homepage": "https://symfony.com", | ||||||
|  |             "keywords": [ | ||||||
|  |                 "compatibility", | ||||||
|  |                 "grapheme", | ||||||
|  |                 "intl", | ||||||
|  |                 "polyfill", | ||||||
|  |                 "portable", | ||||||
|  |                 "shim" | ||||||
|  |             ], | ||||||
|  |             "funding": [ | ||||||
|  |                 { | ||||||
|  |                     "url": "https://symfony.com/sponsor", | ||||||
|  |                     "type": "custom" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "url": "https://github.com/fabpot", | ||||||
|  |                     "type": "github" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", | ||||||
|  |                     "type": "tidelift" | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|  |             "time": "2020-07-14T12:35:20+00:00" | ||||||
|  |         }, | ||||||
|  |         { | ||||||
|  |             "name": "symfony/polyfill-intl-normalizer", | ||||||
|  |             "version": "v1.18.1", | ||||||
|  |             "source": { | ||||||
|  |                 "type": "git", | ||||||
|  |                 "url": "https://github.com/symfony/polyfill-intl-normalizer.git", | ||||||
|  |                 "reference": "37078a8dd4a2a1e9ab0231af7c6cb671b2ed5a7e" | ||||||
|  |             }, | ||||||
|  |             "dist": { | ||||||
|  |                 "type": "zip", | ||||||
|  |                 "url": "https://api.github.com/repos/symfony/polyfill-intl-normalizer/zipball/37078a8dd4a2a1e9ab0231af7c6cb671b2ed5a7e", | ||||||
|  |                 "reference": "37078a8dd4a2a1e9ab0231af7c6cb671b2ed5a7e", | ||||||
|  |                 "shasum": "" | ||||||
|  |             }, | ||||||
|  |             "require": { | ||||||
|  |                 "php": ">=5.3.3" | ||||||
|  |             }, | ||||||
|  |             "suggest": { | ||||||
|  |                 "ext-intl": "For best performance" | ||||||
|  |             }, | ||||||
|  |             "type": "library", | ||||||
|  |             "extra": { | ||||||
|  |                 "branch-alias": { | ||||||
|  |                     "dev-master": "1.18-dev" | ||||||
|  |                 }, | ||||||
|  |                 "thanks": { | ||||||
|  |                     "name": "symfony/polyfill", | ||||||
|  |                     "url": "https://github.com/symfony/polyfill" | ||||||
|  |                 } | ||||||
|  |             }, | ||||||
|  |             "autoload": { | ||||||
|  |                 "psr-4": { | ||||||
|  |                     "Symfony\\Polyfill\\Intl\\Normalizer\\": "" | ||||||
|  |                 }, | ||||||
|  |                 "files": [ | ||||||
|  |                     "bootstrap.php" | ||||||
|  |                 ], | ||||||
|  |                 "classmap": [ | ||||||
|  |                     "Resources/stubs" | ||||||
|  |                 ] | ||||||
|  |             }, | ||||||
|  |             "notification-url": "https://packagist.org/downloads/", | ||||||
|  |             "license": [ | ||||||
|  |                 "MIT" | ||||||
|  |             ], | ||||||
|  |             "authors": [ | ||||||
|  |                 { | ||||||
|  |                     "name": "Nicolas Grekas", | ||||||
|  |                     "email": "p@tchwork.com" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "name": "Symfony Community", | ||||||
|  |                     "homepage": "https://symfony.com/contributors" | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|  |             "description": "Symfony polyfill for intl's Normalizer class and related functions", | ||||||
|  |             "homepage": "https://symfony.com", | ||||||
|  |             "keywords": [ | ||||||
|  |                 "compatibility", | ||||||
|  |                 "intl", | ||||||
|  |                 "normalizer", | ||||||
|  |                 "polyfill", | ||||||
|  |                 "portable", | ||||||
|  |                 "shim" | ||||||
|  |             ], | ||||||
|  |             "funding": [ | ||||||
|  |                 { | ||||||
|  |                     "url": "https://symfony.com/sponsor", | ||||||
|  |                     "type": "custom" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "url": "https://github.com/fabpot", | ||||||
|  |                     "type": "github" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", | ||||||
|  |                     "type": "tidelift" | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|  |             "time": "2020-07-14T12:35:20+00:00" | ||||||
|  |         }, | ||||||
|         { |         { | ||||||
|             "name": "symfony/polyfill-php70", |             "name": "symfony/polyfill-php70", | ||||||
|             "version": "v1.18.1", |             "version": "v1.18.1", | ||||||
| @ -4227,6 +3887,79 @@ | |||||||
|             ], |             ], | ||||||
|             "time": "2020-07-14T12:35:20+00:00" |             "time": "2020-07-14T12:35:20+00:00" | ||||||
|         }, |         }, | ||||||
|  |         { | ||||||
|  |             "name": "symfony/polyfill-php72", | ||||||
|  |             "version": "v1.18.1", | ||||||
|  |             "source": { | ||||||
|  |                 "type": "git", | ||||||
|  |                 "url": "https://github.com/symfony/polyfill-php72.git", | ||||||
|  |                 "reference": "639447d008615574653fb3bc60d1986d7172eaae" | ||||||
|  |             }, | ||||||
|  |             "dist": { | ||||||
|  |                 "type": "zip", | ||||||
|  |                 "url": "https://api.github.com/repos/symfony/polyfill-php72/zipball/639447d008615574653fb3bc60d1986d7172eaae", | ||||||
|  |                 "reference": "639447d008615574653fb3bc60d1986d7172eaae", | ||||||
|  |                 "shasum": "" | ||||||
|  |             }, | ||||||
|  |             "require": { | ||||||
|  |                 "php": ">=5.3.3" | ||||||
|  |             }, | ||||||
|  |             "type": "library", | ||||||
|  |             "extra": { | ||||||
|  |                 "branch-alias": { | ||||||
|  |                     "dev-master": "1.18-dev" | ||||||
|  |                 }, | ||||||
|  |                 "thanks": { | ||||||
|  |                     "name": "symfony/polyfill", | ||||||
|  |                     "url": "https://github.com/symfony/polyfill" | ||||||
|  |                 } | ||||||
|  |             }, | ||||||
|  |             "autoload": { | ||||||
|  |                 "psr-4": { | ||||||
|  |                     "Symfony\\Polyfill\\Php72\\": "" | ||||||
|  |                 }, | ||||||
|  |                 "files": [ | ||||||
|  |                     "bootstrap.php" | ||||||
|  |                 ] | ||||||
|  |             }, | ||||||
|  |             "notification-url": "https://packagist.org/downloads/", | ||||||
|  |             "license": [ | ||||||
|  |                 "MIT" | ||||||
|  |             ], | ||||||
|  |             "authors": [ | ||||||
|  |                 { | ||||||
|  |                     "name": "Nicolas Grekas", | ||||||
|  |                     "email": "p@tchwork.com" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "name": "Symfony Community", | ||||||
|  |                     "homepage": "https://symfony.com/contributors" | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|  |             "description": "Symfony polyfill backporting some PHP 7.2+ features to lower PHP versions", | ||||||
|  |             "homepage": "https://symfony.com", | ||||||
|  |             "keywords": [ | ||||||
|  |                 "compatibility", | ||||||
|  |                 "polyfill", | ||||||
|  |                 "portable", | ||||||
|  |                 "shim" | ||||||
|  |             ], | ||||||
|  |             "funding": [ | ||||||
|  |                 { | ||||||
|  |                     "url": "https://symfony.com/sponsor", | ||||||
|  |                     "type": "custom" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "url": "https://github.com/fabpot", | ||||||
|  |                     "type": "github" | ||||||
|  |                 }, | ||||||
|  |                 { | ||||||
|  |                     "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", | ||||||
|  |                     "type": "tidelift" | ||||||
|  |                 } | ||||||
|  |             ], | ||||||
|  |             "time": "2020-07-14T12:35:20+00:00" | ||||||
|  |         }, | ||||||
|         { |         { | ||||||
|             "name": "symfony/polyfill-php73", |             "name": "symfony/polyfill-php73", | ||||||
|             "version": "v1.18.1", |             "version": "v1.18.1", | ||||||
| @ -4836,7 +4569,7 @@ | |||||||
|     "prefer-stable": false, |     "prefer-stable": false, | ||||||
|     "prefer-lowest": false, |     "prefer-lowest": false, | ||||||
|     "platform": { |     "platform": { | ||||||
|         "php": "^7.2|^8.0", |         "php": "^7.2||^8.0", | ||||||
|         "ext-ctype": "*", |         "ext-ctype": "*", | ||||||
|         "ext-dom": "*", |         "ext-dom": "*", | ||||||
|         "ext-gd": "*", |         "ext-gd": "*", | ||||||
| @ -4852,5 +4585,5 @@ | |||||||
|         "ext-zlib": "*" |         "ext-zlib": "*" | ||||||
|     }, |     }, | ||||||
|     "platform-dev": [], |     "platform-dev": [], | ||||||
|     "plugin-api-version": "1.1.0" |     "plugin-api-version": "2.0.0" | ||||||
| } | } | ||||||
|  | |||||||
| @ -2,6 +2,7 @@ | |||||||
| 
 | 
 | ||||||
| namespace PhpOffice\PhpSpreadsheet\Writer; | namespace PhpOffice\PhpSpreadsheet\Writer; | ||||||
| 
 | 
 | ||||||
|  | use HTMLPurifier; | ||||||
| use PhpOffice\PhpSpreadsheet\Calculation\Calculation; | use PhpOffice\PhpSpreadsheet\Calculation\Calculation; | ||||||
| use PhpOffice\PhpSpreadsheet\Cell\Cell; | use PhpOffice\PhpSpreadsheet\Cell\Cell; | ||||||
| use PhpOffice\PhpSpreadsheet\Cell\Coordinate; | use PhpOffice\PhpSpreadsheet\Cell\Coordinate; | ||||||
| @ -23,7 +24,6 @@ use PhpOffice\PhpSpreadsheet\Style\Style; | |||||||
| use PhpOffice\PhpSpreadsheet\Worksheet\Drawing; | use PhpOffice\PhpSpreadsheet\Worksheet\Drawing; | ||||||
| use PhpOffice\PhpSpreadsheet\Worksheet\MemoryDrawing; | use PhpOffice\PhpSpreadsheet\Worksheet\MemoryDrawing; | ||||||
| use PhpOffice\PhpSpreadsheet\Worksheet\Worksheet; | use PhpOffice\PhpSpreadsheet\Worksheet\Worksheet; | ||||||
| use voku\helper\AntiXSS; |  | ||||||
| 
 | 
 | ||||||
| class Html extends BaseWriter | class Html extends BaseWriter | ||||||
| { | { | ||||||
| @ -1789,9 +1789,9 @@ class Html extends BaseWriter | |||||||
|     { |     { | ||||||
|         $result = ''; |         $result = ''; | ||||||
|         if (!$this->isPdf && isset($pSheet->getComments()[$coordinate])) { |         if (!$this->isPdf && isset($pSheet->getComments()[$coordinate])) { | ||||||
|             $sanitizer = new AntiXSS(); |             $sanitizer = new HTMLPurifier(); | ||||||
|             $sanitizedString = $sanitizer->xss_clean($pSheet->getComment($coordinate)->getText()->getPlainText()); |             $sanitizedString = $sanitizer->purify($pSheet->getComment($coordinate)->getText()->getPlainText()); | ||||||
|             if (!$sanitizer->isXssFound()) { |             if ($sanitizedString !== '') { | ||||||
|                 $result .= '<a class="comment-indicator"></a>'; |                 $result .= '<a class="comment-indicator"></a>'; | ||||||
|                 $result .= '<div class="comment">' . nl2br($sanitizedString) . '</div>'; |                 $result .= '<div class="comment">' . nl2br($sanitizedString) . '</div>'; | ||||||
|                 $result .= PHP_EOL; |                 $result .= PHP_EOL; | ||||||
|  | |||||||
| @ -10,15 +10,56 @@ use PhpOffice\PhpSpreadsheetTests\Functional; | |||||||
| 
 | 
 | ||||||
| class XssVulnerabilityTest extends Functional\AbstractFunctional | class XssVulnerabilityTest extends Functional\AbstractFunctional | ||||||
| { | { | ||||||
|  |     public function providerAcceptableMarkupRichText() | ||||||
|  |     { | ||||||
|  |         return [ | ||||||
|  |             'basic text' => ['Hello, I am safely viewing your site', 'Hello, I am safely viewing your site'], | ||||||
|  |             'link' => ["<a href='Visit Google'>Google is here</a>", '<a href="Visit%20Google">Google is here</a>'], | ||||||
|  |         ]; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     /** | ||||||
|  |      * @dataProvider providerAcceptableMarkupRichText | ||||||
|  |      * | ||||||
|  |      * @param string $safeTextString | ||||||
|  |      * @param string $adjustedTextString | ||||||
|  |      */ | ||||||
|  |     public function testMarkupInComment($safeTextString, $adjustedTextString): void | ||||||
|  |     { | ||||||
|  |         $spreadsheet = new Spreadsheet(); | ||||||
|  | 
 | ||||||
|  |         $richText = new RichText(); | ||||||
|  |         $richText->createText($safeTextString); | ||||||
|  | 
 | ||||||
|  |         $spreadsheet->getActiveSheet()->getCell('A1')->setValue('XSS Test'); | ||||||
|  | 
 | ||||||
|  |         $spreadsheet->getActiveSheet() | ||||||
|  |             ->getComment('A1') | ||||||
|  |             ->setText($richText); | ||||||
|  | 
 | ||||||
|  |         $filename = tempnam(File::sysGetTempDir(), 'phpspreadsheet-test'); | ||||||
|  | 
 | ||||||
|  |         $writer = IOFactory::createWriter($spreadsheet, 'Html'); | ||||||
|  |         $writer->save($filename); | ||||||
|  | 
 | ||||||
|  |         $verify = file_get_contents($filename); | ||||||
|  |         // Ensure that executable js has been stripped from the comments
 | ||||||
|  |         self::assertStringContainsString($adjustedTextString, $verify); | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|     public function providerXssRichText() |     public function providerXssRichText() | ||||||
|     { |     { | ||||||
|         return [ |         return [ | ||||||
|             'script tag' => ['<script>alert(1)</script>'], |             'script tag' => ["Hello, I am trying to <script>alert('Hack');</script> your site"], | ||||||
|             'javascript tag' => ['javascript:alert(1)'], |             'javascript tag' => ["<a href=' javascript:alert(1)'>CLICK</a>"], | ||||||
|             'with unicode' => ['java\u0003script:alert(1)'], |             'with unicode' => ['<a href="\\u0001java\\u0003script:alert(1)">CLICK<a>'], | ||||||
|  |             'inline css' => ['<li style="list-style-image: url(javascript:alert(0))">'], | ||||||
|  |             'char value chevron' => ["\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e"], | ||||||
|         ]; |         ]; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|  |     private static $counter = 0; | ||||||
|  | 
 | ||||||
|     /** |     /** | ||||||
|      * @dataProvider providerXssRichText |      * @dataProvider providerXssRichText | ||||||
|      * |      * | ||||||
| @ -43,6 +84,8 @@ class XssVulnerabilityTest extends Functional\AbstractFunctional | |||||||
|         $writer->save($filename); |         $writer->save($filename); | ||||||
| 
 | 
 | ||||||
|         $verify = file_get_contents($filename); |         $verify = file_get_contents($filename); | ||||||
|  |         $counter = self::$counter++; | ||||||
|  |         file_put_contents("verify{$counter}.html", $verify); | ||||||
|         // Ensure that executable js has been stripped from the comments
 |         // Ensure that executable js has been stripped from the comments
 | ||||||
|         self::assertStringNotContainsString($xssTextString, $verify); |         self::assertStringNotContainsString($xssTextString, $verify); | ||||||
|     } |     } | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Mark Baker
						Mark Baker