PhpSpreadsheet Cross-Site Scripting Vulnerability in the HTML Writer Component

A cross-site scripting (XSS) vulnerability has been identified in PhpSpreadsheet, a PHP library for reading and writing spreadsheet files. This issue affects versions 3.6.0, 2.3.4, 2.1.5, and prior to 1.29.7. The vulnerability arises in the HTML writer component, specifically within the 'generateRow' method. It allows an attacker to bypass the library's XSS sanitization by using special characters to manipulate the 'javascript' protocol, creating a hyperlink that executes arbitrary JavaScript in the browser. Exploitation occurs when a user views a specially crafted Excel file that triggers this behavior.

Impact

Exploiting this vulnerability allows for the execution of arbitrary JavaScript code in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create an Excel file containing a hyperlink that uses the 'javascript' protocol, embedded with special characters to evade the default sanitization. Save this file and then use PhpSpreadsheet to read it with the 'Html' writer. The generated HTML will include the malicious link, which can be verified by checking for the presence of the JavaScript payload, such as an 'alert()' call, in the rendered output.

Remediation

Users can upgrade to PhpSpreadsheet versions 3.7.0, 2.3.5, 2.1.6, or 1.29.7, all of which include the necessary patch to address this vulnerability.