sheet_to_html not encoding value HTML attribute correctly #2890

New Issue

pluto · 2023-02-22T18:28:26Z

pluto commented

2023-02-22 18:28:26 +00:00

I encountered this running xlsx.mini.min.js v0.18.5.

XLSX.utils.sheet_to_html doesn't appear to HTML encode the data-v HTML attribute, so cells with quotes and/or angled brackets creates malformed HTML for me. I didn't fully verify this is the case but I was experiencing it with the one Excel file I ran into issues with.

For now, my workaround is calling this on the output of sheet_to_html (though obviously not the fix:

.replace(/ data-v="(.+?)"(?= id=")/g, (z,i) => ' data-v="' + i.replace(/[<>&"]/g, (j) => '&#'+j.charCodeAt(0)+';') + '"')

I encountered this running xlsx.mini.min.js v0.18.5. XLSX.utils.sheet_to_html doesn't appear to HTML encode the data-v HTML attribute, so cells with quotes and/or angled brackets creates malformed HTML for me. I didn't fully verify this is the case but I was experiencing it with the one Excel file I ran into issues with. For now, my workaround is calling this on the output of sheet_to_html (though obviously not the fix: .replace(/ data-v="(.+?)"(?= id=")/g, (z,i) => ' data-v="' + i.replace(/[<>&"]/g, (j) => '&#'+j.charCodeAt(0)+';') + '"')

sheetjs commented

2023-02-22 18:46:30 +00:00

Thanks for reporting! This also affects the number formats.

Both parts in https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/bits/79_html.js#L84-L85 need to be escaped.

Thanks for reporting! This also affects the number formats. Both parts in https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/bits/79_html.js#L84-L85 need to be escaped.

Sign in to join this conversation.