PHPOffice
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 25 additions & 6 deletions b/‎.github/workflows/main.yml‎
Lines changed: 25 additions & 6 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎bin/findpolyfill.php‎
Lines changed: 44 additions & 0 deletions b/‎bin/findpolyfill.php‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎src/PhpSpreadsheet/Calculation/MathTrig/Round.php‎
Lines changed: 22 additions & 27 deletions b/‎src/PhpSpreadsheet/Calculation/MathTrig/Round.php‎
Lines changed: 22 additions & 27 deletions
diff --git a/‎src/PhpSpreadsheet/Calculation/MathTrig/Trunc.php‎
Lines changed: 4 additions & 33 deletions b/‎src/PhpSpreadsheet/Calculation/MathTrig/Trunc.php‎
Lines changed: 4 additions & 33 deletions
diff --git a/‎src/PhpSpreadsheet/Reader/Security/XmlScanner.php‎
Lines changed: 35 additions & 17 deletions b/‎src/PhpSpreadsheet/Reader/Security/XmlScanner.php‎
Lines changed: 35 additions & 17 deletions
@@ -14,6 +14,7 @@ jobs:
           - '8.1'
           - '8.2'
           - '8.3'
+          - '8.4'
 
         include:
           - php-version: 'nightly'
@@ -75,14 +76,32 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.1
+          php-version: 8.3
           extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib
           coverage: none
 
       # This is non-ideal because it only checks for the last commit of the PR, not all of them, but better than nothing
       - name: Check PHPDoc types
         run: ./bin/check-phpdoc-types
 
+  find-polyfill:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Setup PHP, with composer and extensions
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.3
+          extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib
+          coverage: none
+
+      - name: Find code that might require polyfill
+        run: php ./bin/findpolyfill.php
+
   php-cs-fixer:
     runs-on: ubuntu-latest
     steps:
@@ -92,7 +111,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.1
+          php-version: 8.3
           extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib
           coverage: none
           tools: cs2pr
@@ -123,7 +142,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.1
+          php-version: 8.3
           extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib
           coverage: none
           tools: cs2pr
@@ -154,7 +173,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.1
+          php-version: 8.3
           extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib
           coverage: none
           tools: cs2pr
@@ -185,7 +204,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.1
+          php-version: 8.3
           extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib
           coverage: none
           tools: cs2pr
@@ -218,7 +237,7 @@ jobs:
       - name: Setup PHP, with composer and extensions
         uses: shivammathur/setup-php@v2
         with:
-          php-version: 8.1
+          php-version: 8.3
           extensions: ctype, dom, gd, iconv, fileinfo, libxml, mbstring, simplexml, xml, xmlreader, xmlwriter, zip, zlib
           coverage: pcov
 
 
@@ -5,11 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com)
 and this project adheres to [Semantic Versioning](https://semver.org).
 
-## TBD - 2.1.2
+## 2024-11-10 - 2.1.2
+
+### Fixed
+
+- Backported security patches.
+- Write ignoredErrors Tag Before Drawings. Backport of [PR #4212](https://github.com/PHPOffice/PhpSpreadsheet/pull/4212) intended for 3.4.0.
+- Changes to ROUNDDOWN/ROUNDUP/TRUNC. Backport of [PR #4214](https://github.com/PHPOffice/PhpSpreadsheet/pull/4214) intended for 3.4.0.
 
 ### Added
 
-- Method to Test Whether Csv Will Be Affected by Php9 (backport of PR #4189 intended for 3.4.0)
+- Method to Test Whether Csv Will Be Affected by Php9. Backport of [PR #4189](https://github.com/PHPOffice/PhpSpreadsheet/pull/4189) intended for 3.4.0.
 
 ## 2024-09-29 2.1.1
 
 
@@ -0,0 +1,44 @@
+#!/usr/bin/env php
+<?php
+
+function findPolyfill(string $directory): int
+{
+    // See issue #4215 - code which should have erred in unit test
+    // succeeded because a dev package required polyfills.
+    $retCode = 0;
+    $polyfill81 = 'MYSQLI_REFRESH_REPLICA\\b'
+        . '|fdiv[(]'
+        . '|array_is_list[(]'
+        . '|enum_exists[(]';
+    $polyfill = '/\\b(?:'
+        . $polyfill81
+        . '})/';
+
+    $it = new RecursiveIteratorIterator(
+        new RecursiveDirectoryIterator($directory, FilesystemIterator::UNIX_PATHS)
+    );
+
+    foreach ($it as $file) {
+        if ($file->getExtension() === 'php') {
+            $fullname = $it->getPath() . '/' . $it->getBaseName();
+            $contents = file_get_contents($fullname);
+            if ($contents === false) {
+                echo "failed to read $fullname\n";
+                ++$retCode;
+            } elseif (preg_match_all($polyfill, $contents, $matches)) {
+                var_dump($fullname, $matches);
+                ++$retCode;
+            }
+        }
+    }
+
+    return $retCode;
+}
+
+// Don't care if tests use polyfill
+$errors = findPolyfill(__DIR__ . '/../src') + findPolyfill(__DIR__ . '/../samples');
+if ($errors !== 0) {
+    echo "Found $errors files that might require polyfills\n";
+    exit(1);
+}
+echo "No polyfills needed\n";
@@ -5,6 +5,8 @@
 use PhpOffice\PhpSpreadsheet\Calculation\ArrayEnabled;
 use PhpOffice\PhpSpreadsheet\Calculation\Exception;
 use PhpOffice\PhpSpreadsheet\Calculation\Information\ExcelError;
+// following added in Php8.4
+use RoundingMode;
 
 class Round
 {
@@ -67,31 +69,28 @@ public static function up($number, $digits): array|string|float
             return 0.0;
         }
 
-        $digitsPlus1 = $digits + 1;
-        if ($number < 0.0) {
-            if ($digitsPlus1 < 0) {
-                return round($number - 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_DOWN);
-            }
-            $result = sprintf("%.{$digitsPlus1}F", $number - 0.5 * 0.1 ** $digits);
-
-            return round((float) $result, $digits, PHP_ROUND_HALF_DOWN);
+        if (PHP_VERSION_ID >= 80400) {
+            return round(
+                (float) (string) $number,
+                $digits,
+                RoundingMode::AwayFromZero //* @phpstan-ignore-line
+            );
         }
 
-        if ($digitsPlus1 < 0) {
-            return round($number + 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_DOWN);
+        if ($number < 0.0) {
+            return round($number - 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_DOWN);
         }
-        $result = sprintf("%.{$digitsPlus1}F", $number + 0.5 * 0.1 ** $digits);
 
-        return round((float) $result, $digits, PHP_ROUND_HALF_DOWN);
+        return round($number + 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_DOWN);
     }
 
     /**
      * ROUNDDOWN.
      *
      * Rounds a number down to a specified number of decimal places
      *
-     * @param array|float $number Number to round, or can be an array of numbers
-     * @param array|int $digits Number of digits to which you want to round $number, or can be an array of numbers
+     * @param null|array|float|string $number Number to round, or can be an array of numbers
+     * @param array|float|int|string $digits Number of digits to which you want to round $number, or can be an array of numbers
      *
      * @return array|float|string Rounded Number, or a string containing an error
      *         If an array of numbers is passed as the argument, then the returned result will also be an array
@@ -114,23 +113,19 @@ public static function down($number, $digits): array|string|float
             return 0.0;
         }
 
-        $digitsPlus1 = $digits + 1;
-        if ($number < 0.0) {
-            if ($digitsPlus1 < 0) {
-                return round($number + 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_UP);
-            }
-            $result = sprintf("%.{$digitsPlus1}F", $number + 0.5 * 0.1 ** $digits);
-
-            return round((float) $result, $digits, PHP_ROUND_HALF_UP);
+        if (PHP_VERSION_ID >= 80400) {
+            return round(
+                (float) (string) $number,
+                $digits,
+                RoundingMode::TowardsZero //* @phpstan-ignore-line
+            );
         }
 
-        if ($digitsPlus1 < 0) {
-            return round($number - 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_UP);
+        if ($number < 0.0) {
+            return round($number + 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_UP);
         }
 
-        $result = sprintf("%.{$digitsPlus1}F", $number - 0.5 * 0.1 ** $digits);
-
-        return round((float) $result, $digits, PHP_ROUND_HALF_UP);
+        return round($number - 0.5 * 0.1 ** $digits, $digits, PHP_ROUND_HALF_UP);
     }
 
     /**
 
@@ -3,7 +3,6 @@
 namespace PhpOffice\PhpSpreadsheet\Calculation\MathTrig;
 
 use PhpOffice\PhpSpreadsheet\Calculation\ArrayEnabled;
-use PhpOffice\PhpSpreadsheet\Calculation\Exception;
 
 class Trunc
 {
@@ -19,47 +18,19 @@ class Trunc
      * (or possibly that value minus 1).
      * Excel is unlikely to do any better.
      *
-     * @param array|float $value Or can be an array of values
-     * @param array|int $digits Or can be an array of values
+     * @param null|array|float|string $value Or can be an array of values
+     * @param array|float|int|string $digits Or can be an array of values
      *
      * @return array|float|string Truncated value, or a string containing an error
      *         If an array of numbers is passed as an argument, then the returned result will also be an array
      *            with the same dimensions
      */
-    public static function evaluate(array|float|string|null $value = 0, array|int|string $digits = 0): array|float|string
+    public static function evaluate(array|float|string|null $value = 0, array|float|int|string $digits = 0): array|float|string
     {
         if (is_array($value) || is_array($digits)) {
             return self::evaluateArrayArguments([self::class, __FUNCTION__], $value, $digits);
         }
 
-        try {
-            $value = Helpers::validateNumericNullBool($value);
-            $digits = Helpers::validateNumericNullSubstitution($digits, null);
-        } catch (Exception $e) {
-            return $e->getMessage();
-        }
-
-        if ($value == 0) {
-            return $value;
-        }
-
-        if ($value >= 0) {
-            $minusSign = '';
-        } else {
-            $minusSign = '-';
-            $value = -$value;
-        }
-        $digits = (int) floor($digits);
-        if ($digits < 0) {
-            $result = (float) (substr(sprintf('%.0F', $value), 0, $digits) . str_repeat('0', -$digits));
-
-            return ($minusSign === '') ? $result : -$result;
-        }
-        $decimals = (floor($value) == (int) $value) ? (PHP_FLOAT_DIG - strlen((string) (int) $value)) : $digits;
-        $resultString = ($decimals < 0) ? sprintf('%F', $value) : sprintf('%.' . $decimals . 'F', $value);
-        $regExp = '/([.]\\d{' . $digits . '})\\d+$/';
-        $result = $minusSign . (preg_replace($regExp, '$1', $resultString) ?? $resultString);
-
-        return (float) $result;
+        return Round::down($value, $digits);
     }
 }
@@ -6,6 +6,9 @@
 
 class XmlScanner
 {
+    private const ENCODING_PATTERN = '/encoding\\s*=\\s*(["\'])(.+?)\\1/s';
+    private const ENCODING_UTF7 = '/encoding\\s*=\\s*(["\'])UTF-7\\1/si';
+
     private string $pattern;
 
     /** @var ?callable */
@@ -36,29 +39,41 @@ private static function forceString(mixed $arg): string
     private function toUtf8(string $xml): string
     {
         $charset = $this->findCharSet($xml);
+        $foundUtf7 = $charset === 'UTF-7';
         if ($charset !== 'UTF-8') {
+            $testStart = '/^.{0,4}\\s*<?xml/s';
+            $startWithXml1 = preg_match($testStart, $xml);
             $xml = self::forceString(mb_convert_encoding($xml, 'UTF-8', $charset));
-
-            $charset = $this->findCharSet($xml);
-            if ($charset !== 'UTF-8') {
-                throw new Reader\Exception('Suspicious Double-encoded XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
+            if ($startWithXml1 === 1 && preg_match($testStart, $xml) !== 1) {
+                throw new Reader\Exception('Double encoding not permitted');
             }
+            $foundUtf7 = $foundUtf7 || (preg_match(self::ENCODING_UTF7, $xml) === 1);
+            $xml = preg_replace(self::ENCODING_PATTERN, '', $xml) ?? $xml;
+        } else {
+            $foundUtf7 = $foundUtf7 || (preg_match(self::ENCODING_UTF7, $xml) === 1);
+        }
+        if ($foundUtf7) {
+            throw new Reader\Exception('UTF-7 encoding not permitted');
+        }
+        if (substr($xml, 0, Reader\Csv::UTF8_BOM_LEN) === Reader\Csv::UTF8_BOM) {
+            $xml = substr($xml, Reader\Csv::UTF8_BOM_LEN);
         }
 
         return $xml;
     }
 
     private function findCharSet(string $xml): string
     {
-        $patterns = [
-            '/encoding\\s*=\\s*"([^"]*]?)"/',
-            "/encoding\\s*=\\s*'([^']*?)'/",
-        ];
-
-        foreach ($patterns as $pattern) {
-            if (preg_match($pattern, $xml, $matches)) {
-                return strtoupper($matches[1]);
-            }
+        if (substr($xml, 0, 4) === "\x4c\x6f\xa7\x94") {
+            throw new Reader\Exception('EBCDIC encoding not permitted');
+        }
+        $encoding = Reader\Csv::guessEncodingBom('', $xml);
+        if ($encoding !== '') {
+            return $encoding;
+        }
+        $xml = str_replace("\0", '', $xml);
+        if (preg_match(self::ENCODING_PATTERN, $xml, $matches)) {
+            return strtoupper($matches[2]);
         }
 
         return 'UTF-8';
@@ -71,13 +86,16 @@ private function findCharSet(string $xml): string
      */
     public function scan($xml): string
     {
+        // Don't rely purely on libxml_disable_entity_loader()
+        $pattern = '/\\0*' . implode('\\0*', str_split($this->pattern)) . '\\0*/';
+
         $xml = "$xml";
+        if (preg_match($pattern, $xml)) {
+            throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
+        }
 
         $xml = $this->toUtf8($xml);
 
-        // Don't rely purely on libxml_disable_entity_loader()
-        $pattern = '/\\0?' . implode('\\0?', str_split($this->pattern)) . '\\0?/';
-
         if (preg_match($pattern, $xml)) {
             throw new Reader\Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
         }
@@ -90,7 +108,7 @@ public function scan($xml): string
     }
 
     /**
-     * Scan theXML for use of <!ENTITY to prevent XXE/XEE attacks.
+     * Scan the XML for use of <!ENTITY to prevent XXE/XEE attacks.
      */
     public function scanFile(string $filestream): string
     {