From 4088381ccfaf241d7d42c333de0dc8c98e338743 Mon Sep 17 00:00:00 2001
From: oleibman <10341515+oleibman@users.noreply.github.com>
Date: Sat, 11 Jan 2025 18:00:07 -0800
Subject: [PATCH] Merge commit from fork

---
 src/PhpSpreadsheet/Writer/Html.php            |  2 +-
 .../Writer/Html/NavigationBadTitleTest.php    | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php

diff --git a/src/PhpSpreadsheet/Writer/Html.php b/src/PhpSpreadsheet/Writer/Html.php
index d70a067f6f..48e8450352 100644
--- a/src/PhpSpreadsheet/Writer/Html.php
+++ b/src/PhpSpreadsheet/Writer/Html.php
@@ -561,7 +561,7 @@ public function generateNavigation(): string
             $html .= '<ul class="navigation">' . PHP_EOL;
 
             foreach ($sheets as $sheet) {
-                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;
+                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . htmlspecialchars($sheet->getTitle()) . '</a></li>' . PHP_EOL;
                 ++$sheetId;
             }
 
diff --git a/tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php b/tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php
new file mode 100644
index 0000000000..284fd9f4e5
--- /dev/null
+++ b/tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Spreadsheet;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class NavigationBadTitleTest extends TestCase
+{
+    public function testNavigationTitle(): void
+    {
+        $spreadsheet = new Spreadsheet();
+        $sheet = $spreadsheet->getActiveSheet();
+        $sheet->getCell('A1')->setValue(1);
+        $sheet2 = $spreadsheet->createSheet();
+        $sheet2->setTitle('<img src=x onerror=alert(1)>');
+        $sheet2->getCell('A2')->setValue(2);
+
+        $writer = new HtmlWriter($spreadsheet);
+        $writer->writeAllSheets();
+        $html = $writer->generateHTMLAll();
+        $expected = '<ul class="navigation">'
+            . PHP_EOL
+            . '  <li class="sheet0"><a href="#sheet0">Worksheet</a></li>'
+            . PHP_EOL
+            . '  <li class="sheet1"><a href="#sheet1">&lt;img src=x onerror=alert(1)&gt;</a></li>'
+            . PHP_EOL
+            . '</ul>';
+        self::assertStringContainsString($expected, $html, 'appropriate characters are escaped');
+        $spreadsheet->disconnectWorksheets();
+    }
+}