Webform XLSX Export Module to Support PHPSpreadsheet ^2.1

Created on 29 August 2024, 4 months ago
Updated 16 September 2024, 3 months ago

Problem/Motivation

The Webform XLSX Export module currently relies on phpoffice/phpspreadsheet version ^1.9. One of our projects depends on PHPSpreadsheet ^2.0, creating compatibility issues when integrating with the Webform XLSX Export module.

Proposed Resolution

The solution is to modify the Webform XLSX Export module to support phpoffice/phpspreadsheet ^2.0. This change involves ensuring compatibility with the newer version and making necessary code adjustments to improve the module's functionality and integration with other projects.

Proposed patch attached

Feature request
Status

Fixed

Version

1.0

Component

Code

Created by

🇩🇰Denmark Andreas Albers Copenhagen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @Andreas Albers
  • First commit to issue fork.
  • Merge request !3Fixed PHPSpreadsheet issue → (Merged) created by Unnamed author
  • Status changed to Needs review 4 months ago
  • 🇮🇳India sarwan_verma

    Hi,

    I have successfully applied the patch, and it is now working for me. I have created a Merge Request (MR!3) for it. please review it?

    Thanks!

  • 🇨🇦Canada kpaxman

    Also important due to the recently announced library vulnerability. https://github.com/advisories/GHSA-ghg6-32f9-2jp7

  • 🇳🇱Netherlands spokje
    $ composer audit
    Found 2 security vulnerability advisories affecting 1 package:
    +-------------------+----------------------------------------------------------------------------------+
    | Package           | phpoffice/phpspreadsheet                                                         |
    | Severity          | high                                                                             |
    | CVE               | CVE-2024-45048                                                                   |
    | Title             | XXE in PHPSpreadsheet encoding is returned                                       |
    | URL               | https://github.com/advisories/GHSA-ghg6-32f9-2jp7                                |
    | Affected versions | <2.2.1                                                                           |
    | Reported at       | 2024-08-29T17:58:27+00:00                                                        |
    +-------------------+----------------------------------------------------------------------------------+
    +-------------------+----------------------------------------------------------------------------------+
    | Package           | phpoffice/phpspreadsheet                                                         |
    | Severity          | medium                                                                           |
    | CVE               | CVE-2024-45046                                                                   |
    | Title             | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style       |
    |                   | information                                                                      |
    | URL               | https://github.com/advisories/GHSA-wgmf-q9vr-vww6                                |
    | Affected versions | <2.1.0                                                                           |
    | Reported at       | 2024-08-29T17:56:56+00:00                                                        |
    +-------------------+----------------------------------------------------------------------------------+
    
  • 🇳🇱Netherlands spokje

    Added a new commit to the MR, in which I bumped phpoffice/phpspreadsheet to ^2.1, dropped dev-dependency vijaycs85/drupal-quality-checker.

    The latter kept us on composer 1.x and, by the looks of it, won't work on the (not-so-new-anymore) GitLab CI that Drupal uses nowadays.

    After that commit I get:

    $ composer audit
    No security vulnerability advisories found.
    
  • 🇳🇱Netherlands spokje

    Title update to match the current state of the MR.

  • 🇫🇷France prudloff Lille

    Yes, drupal-quality-checker is not maintained anymore so we should remove it. (Also we probably don't need to version composer.lock if we don't have any dev tools anymore.)
    Thanks for the MR, I will test it next week.

  • First commit to issue fork.
  • Status changed to RTBC 4 months ago
  • 🇳🇿New Zealand ericgsmith

    Have tested this with a few webforms. Changes look good and cell headers and data produced the expected results for me.

    Setting to RTBC - I note there is a comment that the composer.lock file can be removed that hasn't been actioned yet, needs works if that is intended to happen here but the changes around the library and v2 compatibility look good to me.

  • Pipeline finished with Skipped
    4 months ago
    #271461
  • Status changed to Fixed 4 months ago
  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024