PHPOffice PhpSpreadsheet Cross-Site Scripting Vulnerability Bypass

A vulnerability in PHPOffice PhpSpreadsheet versions 3.0.0 prior to 3.9.0, 1.29.0 prior to 1.29.9, and 2.2.0 prior to 2.3.7, allows for a bypass of the Cross-site Scripting (XSS) sanitizer. This is achieved by using the javascript protocol in conjunction with special characters, which can lead to the execution of arbitrary JavaScript in the user's browser. The issue arises in the 'Html' writer component, specifically within the 'generateRow' method, when a user views a specially crafted XML file that exploits this vulnerability.

Impact

Exploiting this vulnerability executes arbitrary JavaScript in the user's browser.

Reproduction

To reproduce this vulnerability, create an Excel file in the XML format that includes a hyperlink using the javascript protocol, embedded with special characters such as control characters or whitespace. Save this file and then use PHPOffice PhpSpreadsheet to read the file with the 'Xml' reader. After loading the file, use the 'Html' writer to generate an HTML representation of the spreadsheet. When the resulting HTML is viewed in a browser, the embedded JavaScript will execute, demonstrating the successful bypass of the XSS sanitizer.

Remediation

Users are advised to upgrade to PhpSpreadsheet versions 3.9.0, 1.29.9, 2.3.7, or 2.1.8.