Merge pull request #417 from VueOps/escape_special_characters_in_drawing_str_val

Escape special characters in chart `StrVal`

2 files changed, 10 insertions, 1 deletions

diff --git a/lib/axlsx/drawing/str_val.rb b/lib/axlsx/drawing/str_val.rb
index 10a4fe91..0687833e 100644
--- a/lib/axlsx/drawing/str_val.rb
+++ b/lib/axlsx/drawing/str_val.rb
@@ -27,7 +27,7 @@ module Axlsx
     def to_xml_string(idx, str = "")
       Axlsx::validate_unsigned_int(idx)
       if !v.to_s.empty?
-        str << ('<c:pt idx="' << idx.to_s << '"><c:v>' << v.to_s << '</c:v></c:pt>')
+        str << ('<c:pt idx="' << idx.to_s << '"><c:v>' << ::CGI.escapeHTML(v.to_s) << '</c:v></c:pt>')
       end
     end
   end
diff --git a/test/drawing/tc_str_val.rb b/test/drawing/tc_str_val.rb
index 0e4ca835..e4547f62 100644
--- a/test/drawing/tc_str_val.rb
+++ b/test/drawing/tc_str_val.rb
@@ -4,6 +4,7 @@ class TestStrVal < Test::Unit::TestCase
 
   def setup
     @str_val = Axlsx::StrVal.new :v => "1"
+    @str_val_with_special_characters = Axlsx::StrVal.new :v => "a & b <c>"
   end
 
   def test_initialize
@@ -18,4 +19,12 @@ class TestStrVal < Test::Unit::TestCase
     assert_equal(doc.xpath("//c:pt/c:v[text()='1']").size, 1)
   end
 
+  def test_to_xml_string_special_characters
+    str = '<?xml version="1.0" encoding="UTF-8"?>'
+    str << '<c:chartSpace xmlns:c="' << Axlsx::XML_NS_C << '">'
+    str << @str_val_with_special_characters.to_xml_string(0)
+    doc = Nokogiri::XML(str)
+    assert_equal(doc.xpath("//c:pt/c:v[text()='a & b <c>']").size, 1)
+  end
+
 end