PhpSpreadsheet Cross-Site Scripting Vulnerability in Custom Properties

A cross-site scripting (XSS) vulnerability has been identified in PhpSpreadsheet, a PHP library for reading and writing spreadsheet files. This issue affects versions 3.6.0, 2.1.5, 2.3.4, and all versions prior to 1.29.7. The vulnerability arises because the library generates HTML pages without properly sanitizing custom properties, allowing attackers to inject malicious JavaScript that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the user's browser.

Reproduction

To reproduce this vulnerability, create an Excel file with custom properties that include unsanitized HTML, such as an image tag in a string property. Then, add a hyperlink property with a JavaScript URL. When this file is processed by PhpSpreadsheet version 3.6.0, the injected JavaScript will be executed in the browser. This can be tested by loading the crafted Excel file with a script that uses PhpSpreadsheet to convert it to HTML, such as 'BadCustomPropertyTest.php'.

Remediation

Users can upgrade to PhpSpreadsheet versions 3.7.0, 2.3.5, 2.1.6, or 1.29.7, all of which include a patch for this vulnerability.