Checking and converting loaded content in HTML Reader based on charset

[pdscopes]

This is:

- [x] a bug report
- [x] a feature request
- [ ] **not** a usage question (ask them on https://stackoverflow.com/questions/tagged/phpspreadsheet or https://gitter.im/PHPOffice/PhpSpreadsheet)

What is the expected behavior?

That an HTML with a non "UTF-8" charset is converted into UTF-8 before being loaded.

What is the current behavior?

Inside PhpOffice\PhpSpreadsheet\Reader\Html::loadIntoExisting it fails to load as the preg_replace_callback step throws an error due to the non "UTF-8" encoding of $convert.

What are the steps to reproduce?

Create a HTML file with iso-8859-1 encoding. And try to read it using the HTML Reader.

What features do you think are causing the issue

Reader.

Does an issue affect all spreadsheet file formats? If not, which formats are affected?

This only affects the HTML Reader.

Which versions of PhpSpreadsheet and PHP are affected?

PHP 8.2 and 8.3 and PhpSpreadshee 1.29 and 2.0.

Proposed change to code to resolve this issue

I have knocked up a fix for this but I'm not sure if it should be more complex or in it's own function. I based this on the code that is in PhpOffice\PhpSpreadsheet\Reader\Security\XmlScanner::toUtf8 function. I don't think it belongs in there as it is to do with HTML methods of declaring encodings but I'm happy to be corrected:

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<meta charset="iso-8859-1">

    /**
     * Loads PhpSpreadsheet from file into PhpSpreadsheet instance.
     */
    public function loadIntoExisting(string $filename, Spreadsheet $spreadsheet): Spreadsheet
    {
        // Validate
        if (!$this->canRead($filename)) {
            throw new Exception($filename . ' is an Invalid HTML file.');
        }

        // Create a new DOM object
        $dom = new DOMDocument();

        // Reload the HTML file into the DOM object
        try {
            $convert = $this->getSecurityScannerOrThrow()->scanFile($filename);

            // START OF NEW CODE

            // Check for non-"UTF-8" charset
            $pattern = '/charset="?(.*?)("|;)/';
            $result = preg_match($pattern, $convert, $matches);
            if ($result) {
                $charset = strtoupper($matches[1]);
                $convert = mb_convert_encoding($convert, 'UTF-8', $charset);
                $convert = is_string($convert) ? $convert : '';
            }

            // END OF NEW CODE

            $lowend = "\u{80}";
            $highend = "\u{10ffff}";
            $regexp = "/[$lowend-$highend]/u";
            /** @var callable $callback */
            $callback = [self::class, 'replaceNonAscii'];
            $convert = preg_replace_callback($regexp, $callback, $convert);
            $loaded = ($convert === null) ? false : $dom->loadHTML($convert);
        } catch (Throwable $e) {
            $loaded = false;
        }
        if ($loaded === false) {
            throw new Exception('Failed to load ' . $filename . ' as a DOM Document', 0, $e ?? null);
        }
        self::loadProperties($dom, $spreadsheet);

        return $this->loadDocument($dom, $spreadsheet);
    }

[oleibman]

See #1681 (comment) for why I don't think any solution to this problem is practical. However, I will be glad to at least review a PR (with tests) if you create one.

[pdscopes]

Thank you, @oleibman. Your comment in #1681 (comment) was insightful. I'll have a proper go at the PR for you to review.

[pdscopes]

@oleibman, sorry for the delay but I have now created the PR.

[oleibman]

You're off to a decent start, but there is much more work to do. I will be making suggestions here, but only one or two at a time in order to keep things manageable. My suggestions will probably at times appear nit-picky; please bear in mind that I am just trying to make sure that your solution is robust and secure.

Your test works fine for a single-byte encoding like ISO-8859-*. I believe it will not work for a multi-byte encoding like UTF-16. So that's your next task.

We often prefer that tests don't require an external spreadsheet (or in this case html file). This would be an exception. I would like to see your html tests load an html file (in tests/data), rather than building the html in code and using coding in your test to change the character set. That extra code in the test is just a distraction, and makes it difficult to evaluate what your test is doing.

[oleibman]

Actually, hold off on doing anything for a day or two. I've looked at the code again and I think we can make this simpler for the ISO-8859 cases, and maybe for UTF-16 (which is supposed to use BOM and not specify charset in the html) as well. When I've finished my analysis, we can discuss next steps.

[oleibman]

Closed 4015, replaced it with 4019. My apologies for sending you on the wrong path, but analyzing your code helped me eliminate a blind spot that was preventing me from seeing the correct way to solve this problem. DOM loadhtml will correctly handle the charsets without our having to manipulate the data; the exception would be for data with no BOM and no charset attribute, where we want it to be UTF-8 and loadhtml wants it to be ISO-8859-1. By restricting our manipulations to those specific conditions, the code becomes a lot cleaner and we don't have to worry about any messy conversions.

[pdscopes]

Not a problem! I really like your end solution and I'm just glad to be part of what helped you see the blind spot.

If there is anything more I can do, please let me know but I'll assume no word means nothing needed.