diff options
| author | Zsolt Kozaroczy <[email protected]> | 2019-12-29 19:11:05 +0100 |
|---|---|---|
| committer | Stefan Daschek <[email protected]> | 2019-12-29 19:11:05 +0100 |
| commit | e65ec48bc86379efed0c1b87a13bff14930416d5 (patch) | |
| tree | acda1d6f5dbaccb828d2192c4f28cdac56c49785 /lib | |
| parent | 0a223011a26949ddc00eba882005daee7afeb6a6 (diff) | |
| download | caxlsx-e65ec48bc86379efed0c1b87a13bff14930416d5.tar.gz caxlsx-e65ec48bc86379efed0c1b87a13bff14930416d5.zip | |
Escape special characters in charts (#40)
Fixes #37
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/axlsx/drawing/series_title.rb | 4 | ||||
| -rw-r--r-- | lib/axlsx/drawing/title.rb | 5 |
2 files changed, 6 insertions, 3 deletions
diff --git a/lib/axlsx/drawing/series_title.rb b/lib/axlsx/drawing/series_title.rb index 9ef97304..2e730dea 100644 --- a/lib/axlsx/drawing/series_title.rb +++ b/lib/axlsx/drawing/series_title.rb @@ -7,13 +7,15 @@ module Axlsx # @param [String] str # @return [String] def to_xml_string(str = '') + clean_value = Axlsx::trust_input ? @text.to_s : ::CGI.escapeHTML(Axlsx::sanitize(@text.to_s)) + str << '<c:tx>' str << '<c:strRef>' str << ('<c:f>' << Axlsx::cell_range([@cell]) << '</c:f>') str << '<c:strCache>' str << '<c:ptCount val="1"/>' str << '<c:pt idx="0">' - str << ('<c:v>' << @text << '</c:v>') + str << ('<c:v>' << clean_value << '</c:v>') str << '</c:pt>' str << '</c:strCache>' str << '</c:strRef>' diff --git a/lib/axlsx/drawing/title.rb b/lib/axlsx/drawing/title.rb index 7f2ff9f4..002ae94f 100644 --- a/lib/axlsx/drawing/title.rb +++ b/lib/axlsx/drawing/title.rb @@ -62,6 +62,7 @@ module Axlsx def to_xml_string(str = '') str << '<c:title>' unless @text.empty? + clean_value = Axlsx::trust_input ? @text.to_s : ::CGI.escapeHTML(Axlsx::sanitize(@text.to_s)) str << '<c:tx>' if @cell.is_a?(Cell) str << '<c:strRef>' @@ -69,7 +70,7 @@ module Axlsx str << '<c:strCache>' str << '<c:ptCount val="1"/>' str << '<c:pt idx="0">' - str << ('<c:v>' << @text << '</c:v>') + str << ('<c:v>' << clean_value << '</c:v>') str << '</c:pt>' str << '</c:strCache>' str << '</c:strRef>' @@ -80,7 +81,7 @@ module Axlsx str << '<a:p>' str << '<a:r>' str << ('<a:rPr sz="' << @text_size.to_s << '"/>') - str << ('<a:t>' << @text.to_s << '</a:t>') + str << ('<a:t>' << clean_value << '</a:t>') str << '</a:r>' str << '</a:p>' str << '</c:rich>' |