From 45d168c79d2d3f3d0dd6247e2b527f3007d84793 Mon Sep 17 00:00:00 2001 From: xuri Date: Tue, 15 Nov 2022 22:08:37 +0800 Subject: [PATCH] This closes #1391, escape XML characters to avoid with corrupt file - Update and improve unit test coverage --- adjust.go | 8 +++----- cell.go | 5 ++++- stream_test.go | 18 +++++++++++++----- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/adjust.go b/adjust.go index bf89927..de634fc 100644 --- a/adjust.go +++ b/adjust.go @@ -279,16 +279,14 @@ func (f *File) adjustAutoFilter(ws *xlsxWorksheet, dir adjustDirection, num, off rowData.Hidden = false } } - return nil + return err } coordinates = f.adjustAutoFilterHelper(dir, coordinates, num, offset) x1, y1, x2, y2 = coordinates[0], coordinates[1], coordinates[2], coordinates[3] - if ws.AutoFilter.Ref, err = f.coordinatesToRangeRef([]int{x1, y1, x2, y2}); err != nil { - return err - } - return nil + ws.AutoFilter.Ref, err = f.coordinatesToRangeRef([]int{x1, y1, x2, y2}) + return err } // adjustAutoFilterHelper provides a function for adjusting auto filter to diff --git a/cell.go b/cell.go index a0a2818..bbbb83a 100644 --- a/cell.go +++ b/cell.go @@ -12,6 +12,7 @@ package excelize import ( + "bytes" "encoding/xml" "fmt" "os" @@ -490,7 +491,9 @@ func (c *xlsxC) setCellValue(val string) { // string. func (c *xlsxC) setInlineStr(val string) { c.T, c.V, c.IS = "inlineStr", "", &xlsxSI{T: &xlsxT{}} - c.IS.T.Val, c.IS.T.Space = trimCellValue(val) + buf := &bytes.Buffer{} + _ = xml.EscapeText(buf, []byte(val)) + c.IS.T.Val, c.IS.T.Space = trimCellValue(buf.String()) } // setStr set cell data type and value which containing a formula string. diff --git a/stream_test.go b/stream_test.go index dca06aa..925a6a7 100644 --- a/stream_test.go +++ b/stream_test.go @@ -58,11 +58,19 @@ func TestStreamWriter(t *testing.T) { // Test set cell with style and rich text. styleID, err := file.NewStyle(&Style{Font: &Font{Color: "#777777"}}) assert.NoError(t, err) - assert.NoError(t, streamWriter.SetRow("A4", []interface{}{Cell{StyleID: styleID}, Cell{Formula: "SUM(A10,B10)"}}, RowOpts{Height: 45, StyleID: styleID})) - assert.NoError(t, streamWriter.SetRow("A5", []interface{}{&Cell{StyleID: styleID, Value: "cell"}, &Cell{Formula: "SUM(A10,B10)"}, []RichTextRun{ - {Text: "Rich ", Font: &Font{Color: "2354e8"}}, - {Text: "Text", Font: &Font{Color: "e83723"}}, - }})) + assert.NoError(t, streamWriter.SetRow("A4", []interface{}{ + Cell{StyleID: styleID}, + Cell{Formula: "SUM(A10,B10)", Value: " preserve space "}, + }, + RowOpts{Height: 45, StyleID: styleID})) + assert.NoError(t, streamWriter.SetRow("A5", []interface{}{ + &Cell{StyleID: styleID, Value: "cell <>&'\""}, + &Cell{Formula: "SUM(A10,B10)"}, + []RichTextRun{ + {Text: "Rich ", Font: &Font{Color: "2354e8"}}, + {Text: "Text", Font: &Font{Color: "e83723"}}, + }, + })) assert.NoError(t, streamWriter.SetRow("A6", []interface{}{time.Now()})) assert.NoError(t, streamWriter.SetRow("A7", nil, RowOpts{Height: 20, Hidden: true, StyleID: styleID})) assert.EqualError(t, streamWriter.SetRow("A8", nil, RowOpts{Height: MaxRowHeight + 1}), ErrMaxRowHeight.Error())