search

PHPOffice / PHPWord

A pure PHP library for reading and writing word processing documents
https://phpoffice.github.io/PHPWord/
Other
7.25k stars 2.69k forks source link

Requirement to use htmlspecialchars() everywhere #910

Open igorsantos07 opened 8 years ago

igorsantos07 commented 8 years ago

Shouldn't content escaping be automatic, so we don't have to exactly remember DOCX is a XML file and manually escape our content before placing into the file? It's quite annoying having to run everything on htmlspecialchars() to avoid weird errors when opening the file. This is worse when you have user input :/

On a side note, this is not needed on the sister project PHPExcel, even on XLSX, so I think this should be the default behavior here as well?

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/38299578-requirement-to-use-htmlspecialchars-everywhere?utm_campaign=plugin&utm_content=tracker%2F323108&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F323108&utm_medium=issues&utm_source=github).
str commented 7 years ago

+1

JakeQZ commented 5 years ago

Since PHPWord 0.13.0 (I believe) you can use

\PhpOffice\PhpWord\Settings::setOutputEscapingEnabled(true);

which should do the trick. I don't know about PHPExcel.

CHOUKI-Mouhssine commented 4 years ago

@JakeQZ : thank you