From d8387c1abad2e0e44af3f936cad0e6d5746ad271 Mon Sep 17 00:00:00 2001 From: Tim Jarrett Date: Tue, 2 Feb 2016 16:17:20 -0500 Subject: [PATCH] Escape incoming invalid XML characters using htmlspecialchars(). --- src/PhpWord/Reader/Word2007/AbstractPart.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/PhpWord/Reader/Word2007/AbstractPart.php b/src/PhpWord/Reader/Word2007/AbstractPart.php index 7509a382..9623fb79 100644 --- a/src/PhpWord/Reader/Word2007/AbstractPart.php +++ b/src/PhpWord/Reader/Word2007/AbstractPart.php @@ -135,7 +135,7 @@ abstract class AbstractPart } } } - $parent->addPreserveText($textContent, $fontStyle, $paragraphStyle); + $parent->addPreserveText(htmlspecialchars($textContent, ENT_QUOTES | ENT_XML1), $fontStyle, $paragraphStyle); } elseif ($xmlReader->elementExists('w:pPr/w:numPr', $domNode)) { // List item $numId = $xmlReader->getAttribute('w:val', $domNode, 'w:pPr/w:numPr/w:numId'); @@ -152,7 +152,7 @@ abstract class AbstractPart $textContent = null; $nodes = $xmlReader->getElements('w:r', $domNode); if ($nodes->length === 1) { - $textContent = $xmlReader->getValue('w:t', $nodes->item(0)); + $textContent = htmlspecialchars($xmlReader->getValue('w:t', $nodes->item(0)), ENT_QUOTES | ENT_XML1); } else { $textContent = new TextRun($paragraphStyle); foreach ($nodes as $node) { @@ -275,7 +275,7 @@ abstract class AbstractPart $parent->addText("\t"); } elseif ($node->nodeName == 'w:t' || $node->nodeName == 'w:delText') { // TextRun - $textContent = $xmlReader->getValue('.', $node); + $textContent = htmlspecialchars($xmlReader->getValue('.', $node), ENT_QUOTES | ENT_XML1); if ($runParent->nodeName == 'w:hyperlink') { $rId = $xmlReader->getAttribute('r:id', $runParent);