['Hello, I am safely viewing your site', 'Hello, I am safely viewing your site'], 'link' => ["Google is here", 'Google is here'], ]; } /** * @dataProvider providerAcceptableMarkupRichText * * @param string $safeTextString * @param string $adjustedTextString */ public function testMarkupInComment($safeTextString, $adjustedTextString): void { $spreadsheet = new Spreadsheet(); $richText = new RichText(); $richText->createText($safeTextString); $spreadsheet->getActiveSheet()->getCell('A1')->setValue('XSS Test'); $spreadsheet->getActiveSheet() ->getComment('A1') ->setText($richText); $filename = tempnam(File::sysGetTempDir(), 'phpspreadsheet-test'); $writer = IOFactory::createWriter($spreadsheet, 'Html'); $writer->save($filename); $verify = file_get_contents($filename); // Ensure that executable js has been stripped from the comments self::assertStringContainsString($adjustedTextString, $verify); } public function providerXssRichText() { return [ 'script tag' => ["Hello, I am trying to your site"], 'javascript tag' => ["CLICK"], 'with unicode' => ['CLICK'], 'inline css' => ['

'], 'char value chevron' => ["\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e"], ]; } private static $counter = 0; /** * @dataProvider providerXssRichText * * @param string $xssTextString */ public function testXssInComment($xssTextString): void { $spreadsheet = new Spreadsheet(); $richText = new RichText(); $richText->createText($xssTextString); $spreadsheet->getActiveSheet()->getCell('A1')->setValue('XSS Test'); $spreadsheet->getActiveSheet() ->getComment('A1') ->setText($richText); $filename = tempnam(File::sysGetTempDir(), 'phpspreadsheet-test'); $writer = IOFactory::createWriter($spreadsheet, 'Html'); $writer->save($filename); $verify = file_get_contents($filename); $counter = self::$counter++; file_put_contents("verify{$counter}.html", $verify); // Ensure that executable js has been stripped from the comments self::assertStringNotContainsString($xssTextString, $verify); } }