This closes #1391, escape XML characters to avoid with corrupt file

- Update and improve unit test coverage
qax-os · Nov 15, 2022 · 45d168c · 45d168c
1 parent ac564af
commit 45d168c
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 11 deletions.
diff --git a/adjust.go b/adjust.go
@@ -279,16 +279,14 @@ func (f *File) adjustAutoFilter(ws *xlsxWorksheet, dir adjustDirection, num, off
 				rowData.Hidden = false
 			}
 		}
-		return nil
+		return err
 	}
 
 	coordinates = f.adjustAutoFilterHelper(dir, coordinates, num, offset)
 	x1, y1, x2, y2 = coordinates[0], coordinates[1], coordinates[2], coordinates[3]
 
-	if ws.AutoFilter.Ref, err = f.coordinatesToRangeRef([]int{x1, y1, x2, y2}); err != nil {
-		return err
-	}
-	return nil
+	ws.AutoFilter.Ref, err = f.coordinatesToRangeRef([]int{x1, y1, x2, y2})
+	return err
 }
 
 // adjustAutoFilterHelper provides a function for adjusting auto filter to

diff --git a/cell.go b/cell.go
@@ -12,6 +12,7 @@
 package excelize
 
 import (
+	"bytes"
 	"encoding/xml"
 	"fmt"
 	"os"
@@ -490,7 +491,9 @@ func (c *xlsxC) setCellValue(val string) {
 // string.
 func (c *xlsxC) setInlineStr(val string) {
 	c.T, c.V, c.IS = "inlineStr", "", &xlsxSI{T: &xlsxT{}}
-	c.IS.T.Val, c.IS.T.Space = trimCellValue(val)
+	buf := &bytes.Buffer{}
+	_ = xml.EscapeText(buf, []byte(val))
+	c.IS.T.Val, c.IS.T.Space = trimCellValue(buf.String())
 }
 
 // setStr set cell data type and value which containing a formula string.

diff --git a/stream_test.go b/stream_test.go
@@ -58,11 +58,19 @@ func TestStreamWriter(t *testing.T) {
 	// Test set cell with style and rich text.
 	styleID, err := file.NewStyle(&Style{Font: &Font{Color: "#777777"}})
 	assert.NoError(t, err)
-	assert.NoError(t, streamWriter.SetRow("A4", []interface{}{Cell{StyleID: styleID}, Cell{Formula: "SUM(A10,B10)"}}, RowOpts{Height: 45, StyleID: styleID}))
-	assert.NoError(t, streamWriter.SetRow("A5", []interface{}{&Cell{StyleID: styleID, Value: "cell"}, &Cell{Formula: "SUM(A10,B10)"}, []RichTextRun{
-		{Text: "Rich ", Font: &Font{Color: "2354e8"}},
-		{Text: "Text", Font: &Font{Color: "e83723"}},
-	}}))
+	assert.NoError(t, streamWriter.SetRow("A4", []interface{}{
+		Cell{StyleID: styleID},
+		Cell{Formula: "SUM(A10,B10)", Value: " preserve space "},
+	},
+		RowOpts{Height: 45, StyleID: styleID}))
+	assert.NoError(t, streamWriter.SetRow("A5", []interface{}{
+		&Cell{StyleID: styleID, Value: "cell <>&'\""},
+		&Cell{Formula: "SUM(A10,B10)"},
+		[]RichTextRun{
+			{Text: "Rich ", Font: &Font{Color: "2354e8"}},
+			{Text: "Text", Font: &Font{Color: "e83723"}},
+		},
+	}))
 	assert.NoError(t, streamWriter.SetRow("A6", []interface{}{time.Now()}))
 	assert.NoError(t, streamWriter.SetRow("A7", nil, RowOpts{Height: 20, Hidden: true, StyleID: styleID}))
 	assert.EqualError(t, streamWriter.SetRow("A8", nil, RowOpts{Height: MaxRowHeight + 1}), ErrMaxRowHeight.Error())