Skip to content

feat: vtable-sheet support excel multiple sheets#4822

Merged
fangsmile merged 13 commits into
developfrom
feat/excel-multiply-sheet-import
Dec 17, 2025
Merged

feat: vtable-sheet support excel multiple sheets#4822
fangsmile merged 13 commits into
developfrom
feat/excel-multiply-sheet-import

Conversation

@fangsmile
Copy link
Copy Markdown
Contributor

@fangsmile fangsmile commented Dec 12, 2025

[中文版模板 / Chinese template]

🤔 This is a ...

  • New feature
  • Bug fix
  • TypeScript definition update
  • Bundle size optimization
  • Performance optimization
  • Enhancement feature
  • Refactoring
  • Update dependency
  • Code style optimization
  • Test Case
  • Branch merge
  • Site / documentation update
  • Demo update
  • Workflow
  • Chore
  • Release
  • Other (about what?)

🔗 Related issue link

💡 Background and solution

📝 Changelog

Language Changelog
🇺🇸 English
🇨🇳 Chinese

☑️ Self-Check before Merge

⚠️ Please check all items below before requesting a reviewing. ⚠️

  • Doc is updated/provided or not needed
  • Demo is updated/provided or not needed
  • TypeScript definition is updated/provided or not needed
  • Changelog is provided or not needed

🚀 Summary

copilot:summary

🔍 Walkthrough

copilot:walkthrough

github-advanced-security[bot]
github-advanced-security AI found potential problems Dec 12, 2025
View reviewed changes
Comment thread packages/vtable-plugins/src/excel-import.ts Outdated
// 自动更新表格
if (options.autoTable && this._tableInstance) {
if (options.autoColumns) {
this._tableInstance.updateOption({

Check failure

Code scanning / CodeQL

DOM text reinterpreted as HTML High

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 5 months ago

General Approach:
To resolve the identified issue, the code should sanitize untrusted HTML before parsing it with DOMParser. This can be done by using a sanitization library (such as dompurify if available) to ensure only safe markup (or, more conservatively, only tables with no scripts/etc.) is parsed. This ensures that even if untrusted input contains scripts or dangerous tags, they are stripped or neutralized before parsing, preventing XSS regardless of later usage.

Detailed Remedy:

  • In ExcelImportPlugin._parseHTMLString, sanitize the text input before DOMParser.parseFromString, using DOMPurify.sanitize or equivalent.
  • Add an import for a standard HTML sanitization library (dompurify) at the top of the file packages/vtable-plugins/src/excel-import.ts.
  • Use DOMPurify.sanitize(text, { ALLOWED_TAGS: ['table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td'] }) to only allow table-related markup.
  • Update all parseFromString(text, 'text/html') to use the sanitized string.

Required Changes:

  • File: packages/vtable-plugins/src/excel-import.ts
    • Add import for dompurify (as DOMPurify).
    • Modify _parseHTMLString to sanitize text before parsing.
Suggested changeset 2
packages/vtable-plugins/src/excel-import.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vtable-plugins/src/excel-import.ts b/packages/vtable-plugins/src/excel-import.ts
--- a/packages/vtable-plugins/src/excel-import.ts
+++ b/packages/vtable-plugins/src/excel-import.ts
@@ -4,7 +4,7 @@
 import { importExcelMultipleSheets, importCsvFile } from './excel-import/excel';
 import { applyImportToVTableSheet } from './excel-import/vtable-sheet';
 import type { ExcelImportOptions, ImportResult, MultiSheetImportResult } from './excel-import/types';
-
+import DOMPurify from 'dompurify';
 export type { ExcelImportOptions, ImportResult, MultiSheetImportResult, SheetData } from './excel-import/types';
 
 /**
@@ -652,8 +652,10 @@
    * 解析HTML字符串
    */
   private async _parseHTMLString(text: string, options: ExcelImportOptions): Promise<ImportResult> {
+    // Sanitize HTML to avoid XSS issues from untrusted input
+    const sanitized = DOMPurify.sanitize(text, { ALLOWED_TAGS: ['table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td'], ALLOWED_ATTR: [] });
     const parser = new DOMParser();
-    const doc = parser.parseFromString(text, 'text/html');
+    const doc = parser.parseFromString(sanitized, 'text/html');
     const table = doc.querySelector('table');
 
     if (!table) {
EOF
@@ -4,7 +4,7 @@
import { importExcelMultipleSheets, importCsvFile } from './excel-import/excel';
import { applyImportToVTableSheet } from './excel-import/vtable-sheet';
import type { ExcelImportOptions, ImportResult, MultiSheetImportResult } from './excel-import/types';

import DOMPurify from 'dompurify';
export type { ExcelImportOptions, ImportResult, MultiSheetImportResult, SheetData } from './excel-import/types';

/**
@@ -652,8 +652,10 @@
* 解析HTML字符串
*/
private async _parseHTMLString(text: string, options: ExcelImportOptions): Promise<ImportResult> {
// Sanitize HTML to avoid XSS issues from untrusted input
const sanitized = DOMPurify.sanitize(text, { ALLOWED_TAGS: ['table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td'], ALLOWED_ATTR: [] });
const parser = new DOMParser();
const doc = parser.parseFromString(text, 'text/html');
const doc = parser.parseFromString(sanitized, 'text/html');
const table = doc.querySelector('table');

if (!table) {
packages/vtable-plugins/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vtable-plugins/package.json b/packages/vtable-plugins/package.json
--- a/packages/vtable-plugins/package.json
+++ b/packages/vtable-plugins/package.json
@@ -45,7 +45,8 @@
     "big.js": "6.2.2",
     "exceljs": "4.4.0",
     "file-saver": "2.0.5",
-    "@types/file-saver": "2.0.7"
+    "@types/file-saver": "2.0.7",
+    "dompurify": "^3.3.1"
   },
   "peerDependencies": {
     "@visactor/vtable": "workspace:*",
EOF
@@ -45,7 +45,8 @@
"big.js": "6.2.2",
"exceljs": "4.4.0",
"file-saver": "2.0.5",
"@types/file-saver": "2.0.7"
"@types/file-saver": "2.0.7",
"dompurify": "^3.3.1"
},
"peerDependencies": {
"@visactor/vtable": "workspace:*",
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.3.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
@fangsmile fangsmile merged commit b8f6153 into develop Dec 17, 2025
4 of 7 checks passed
@fangsmile fangsmile deleted the feat/excel-multiply-sheet-import branch December 17, 2025 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rui-Sun Rui-Sun Rui-Sun approved these changes

Assignees

No one assigned

Labels

chore docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fangsmile @Rui-Sun @github-advanced-security