mcndave/spout
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix sheet name escaping

Browse Source 
Sheet names are stored as attributes of an XML entity. We therefore need a different escaping strategy, escaping quotes.
This commit is contained in:
Adrien Loison 2019-01-26 16:08:20 +01:00 committed by Adrien Loison
parent ee998f7173
commit 71cf0fe339
6 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/Spout/Common/Helper/Escaper/ODS.php
View File

@ -16,17 +16,16 @@ class ODS implements EscaperInterface
*/ */
public function escape($string) public function escape($string)
{ {
// @NOTE: Using ENT_QUOTES as XML entities ('<', '>', '&') as well as
// single/double quotes (for XML attributes) need to be encoded.
if (defined('ENT_DISALLOWED')) { if (defined('ENT_DISALLOWED')) {
// 'ENT_DISALLOWED' ensures that invalid characters in the given document type are replaced. // 'ENT_DISALLOWED' ensures that invalid characters in the given document type are replaced.
// Otherwise control characters like a vertical tab "\v" will make the XML document unreadable by the XML processor // Otherwise control characters like a vertical tab "\v" will make the XML document unreadable by the XML processor
// @link https://github.com/box/spout/issues/329 // @link https://github.com/box/spout/issues/329
$replacedString = htmlspecialchars($string, ENT_NOQUOTES | ENT_DISALLOWED); $replacedString = htmlspecialchars($string, ENT_QUOTES | ENT_DISALLOWED);
} else { } else {
// We are on hhvm or any other engine that does not support ENT_DISALLOWED. // We are on hhvm or any other engine that does not support ENT_DISALLOWED.
// $escapedString = htmlspecialchars($string, ENT_QUOTES);
// @NOTE: Using ENT_NOQUOTES as only XML entities ('<', '>', '&') need to be encoded.
// Single and double quotes can be left as is.
$escapedString = htmlspecialchars($string, ENT_NOQUOTES);
// control characters values are from 0 to 1F (hex values) in the ASCII table // control characters values are from 0 to 1F (hex values) in the ASCII table
// some characters should not be escaped though: "\t", "\r" and "\n". // some characters should not be escaped though: "\t", "\r" and "\n".

6
src/Spout/Common/Helper/Escaper/XLSX.php
View File

@ -45,9 +45,9 @@ class XLSX implements EscaperInterface
$this->initIfNeeded(); $this->initIfNeeded();
$escapedString = $this->escapeControlCharacters($string); $escapedString = $this->escapeControlCharacters($string);
// @NOTE: Using ENT_NOQUOTES as only XML entities ('<', '>', '&') need to be encoded. // @NOTE: Using ENT_QUOTES as XML entities ('<', '>', '&') as well as
// Single and double quotes can be left as is. // single/double quotes (for XML attributes) need to be encoded.
$escapedString = htmlspecialchars($escapedString, ENT_NOQUOTES); $escapedString = htmlspecialchars($escapedString, ENT_QUOTES);
return $escapedString; return $escapedString;
} }

2
tests/Spout/Common/Helper/Escaper/ODSTest.php
View File

@ -17,7 +17,7 @@ class ODSTest extends TestCase
{ {
return [ return [
['test', 'test'], ['test', 'test'],
['carl\'s "pokemon"', 'carl\'s "pokemon"'], ['carl\'s "pokemon"', 'carl&#039;s &quot;pokemon&quot;'],
["\n", "\n"], ["\n", "\n"],
["\r", "\r"], ["\r", "\r"],
["\t", "\t"], ["\t", "\t"],

4
tests/Spout/Common/Helper/Escaper/XLSXTest.php
View File

@ -17,7 +17,7 @@ class XLSXTest extends TestCase
{ {
return [ return [
['test', 'test'], ['test', 'test'],
['adam\'s "car"', 'adam\'s "car"'], ['adam\'s "car"', 'adam&#039;s &quot;car&quot;'],
["\n", "\n"], ["\n", "\n"],
["\r", "\r"], ["\r", "\r"],
["\t", "\t"], ["\t", "\t"],
@ -26,7 +26,7 @@ class XLSXTest extends TestCase
['_x0000_', '_x005F_x0000_'], ['_x0000_', '_x005F_x0000_'],
[chr(21), '_x0015_'], [chr(21), '_x0015_'],
['control ' . chr(21) . ' character', 'control _x0015_ character'], ['control ' . chr(21) . ' character', 'control _x0015_ character'],
['control\'s ' . chr(21) . ' "character"', 'control\'s _x0015_ "character"'], ['control\'s ' . chr(21) . ' "character"', 'control&#039;s _x0015_ &quot;character&quot;'],
]; ];
} }

2
tests/Spout/Writer/ODS/WriterTest.php
View File

@ -441,7 +441,7 @@ class WriterTest extends TestCase
$this->writeToODSFile($dataRows, $fileName); $this->writeToODSFile($dataRows, $fileName);
$this->assertValueWasWritten($fileName, 'I\'m in "great" mood', 'Quotes should not be escaped'); $this->assertValueWasWritten($fileName, 'I&#039;m in &quot;great&quot; mood', 'Quotes should not be escaped');
$this->assertValueWasWritten($fileName, 'This &lt;must&gt; be escaped &amp; tested', '<, > and & should be escaped'); $this->assertValueWasWritten($fileName, 'This &lt;must&gt; be escaped &amp; tested', '<, > and & should be escaped');
} }

2
tests/Spout/Writer/XLSX/WriterTest.php
View File

@ -498,7 +498,7 @@ class WriterTest extends TestCase
$this->writeToXLSXFile($dataRows, $fileName); $this->writeToXLSXFile($dataRows, $fileName);
$this->assertInlineDataWasWrittenToSheet($fileName, 1, 'I\'m in "great" mood', 'Quotes should not be escaped'); $this->assertInlineDataWasWrittenToSheet($fileName, 1, 'I&#039;m in &quot;great&quot; mood', 'Quotes should not be escaped');
$this->assertInlineDataWasWrittenToSheet($fileName, 1, 'This &lt;must&gt; be escaped &amp; tested', '<, > and & should be escaped'); $this->assertInlineDataWasWrittenToSheet($fileName, 1, 'This &lt;must&gt; be escaped &amp; tested', '<, > and & should be escaped');
} }