Merge commit from fork

Author: oleibman

src/PhpSpreadsheet/Writer/Html.php

@@ -561,7 +561,7 @@ public function generateNavigation(): string
             $html .= '<ul class="navigation">' . PHP_EOL;
 
             foreach ($sheets as $sheet) {
-                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;
+                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . htmlspecialchars($sheet->getTitle()) . '</a></li>' . PHP_EOL;
                 ++$sheetId;
             }
 

tests/PhpSpreadsheetTests/Writer/Html/NavigationBadTitleTest.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
+
+use PhpOffice\PhpSpreadsheet\Spreadsheet;
+use PhpOffice\PhpSpreadsheet\Writer\Html as HtmlWriter;
+use PHPUnit\Framework\TestCase;
+
+class NavigationBadTitleTest extends TestCase
+{
+    public function testNavigationTitle(): void
+    {
+        $spreadsheet = new Spreadsheet();
+        $sheet = $spreadsheet->getActiveSheet();
+        $sheet->getCell('A1')->setValue(1);
+        $sheet2 = $spreadsheet->createSheet();
+        $sheet2->setTitle('<img src=x onerror=alert(1)>');
+        $sheet2->getCell('A2')->setValue(2);
+
+        $writer = new HtmlWriter($spreadsheet);
+        $writer->writeAllSheets();
+        $html = $writer->generateHTMLAll();
+        $expected = '<ul class="navigation">'
+            . PHP_EOL
+            . '  <li class="sheet0"><a href="#sheet0">Worksheet</a></li>'
+            . PHP_EOL
+            . '  <li class="sheet1"><a href="#sheet1">&lt;img src=x onerror=alert(1)&gt;</a></li>'
+            . PHP_EOL
+            . '</ul>';
+        self::assertStringContainsString($expected, $html, 'appropriate characters are escaped');
+        $spreadsheet->disconnectWorksheets();
+    }
+}