Skip to content

feat: vtable-sheet support excel multiple sheets #4822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fangsmile merged 13 commits into from
Dec 17, 2025
Merged

feat: vtable-sheet support excel multiple sheets #4822

fangsmile merged 13 commits into from
Dec 17, 2025

Conversation

@fangsmile
Copy link
Contributor

@fangsmile fangsmile commented Dec 12, 2025

[中文版模板 / Chinese template]

🤔 This is a ...

  • New feature
  • Bug fix
  • TypeScript definition update
  • Bundle size optimization
  • Performance optimization
  • Enhancement feature
  • Refactoring
  • Update dependency
  • Code style optimization
  • Test Case
  • Branch merge
  • Site / documentation update
  • Demo update
  • Workflow
  • Chore
  • Release
  • Other (about what?)

🔗 Related issue link

💡 Background and solution

📝 Changelog

Language Changelog
🇺🇸 English
🇨🇳 Chinese

☑️ Self-Check before Merge

⚠️ Please check all items below before requesting a reviewing. ⚠️

  • Doc is updated/provided or not needed
  • Demo is updated/provided or not needed
  • TypeScript definition is updated/provided or not needed
  • Changelog is provided or not needed

🚀 Summary

copilot:summary

🔍 Walkthrough

copilot:walkthrough

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 12, 2025
View reviewed changes
packages/vtable-plugins/src/excel-import.ts Outdated
// 自动更新表格
if (options.autoTable && this._tableInstance) {
if (options.autoColumns) {
this._tableInstance.updateOption({

Check failure

Code scanning / CodeQL

DOM text reinterpreted as HTML High

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 20 days ago

General Approach:
To resolve the identified issue, the code should sanitize untrusted HTML before parsing it with DOMParser. This can be done by using a sanitization library (such as dompurify if available) to ensure only safe markup (or, more conservatively, only tables with no scripts/etc.) is parsed. This ensures that even if untrusted input contains scripts or dangerous tags, they are stripped or neutralized before parsing, preventing XSS regardless of later usage.

Detailed Remedy:

  • In ExcelImportPlugin._parseHTMLString, sanitize the text input before DOMParser.parseFromString, using DOMPurify.sanitize or equivalent.
  • Add an import for a standard HTML sanitization library (dompurify) at the top of the file packages/vtable-plugins/src/excel-import.ts.
  • Use DOMPurify.sanitize(text, { ALLOWED_TAGS: ['table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td'] }) to only allow table-related markup.
  • Update all parseFromString(text, 'text/html') to use the sanitized string.

Required Changes:

  • File: packages/vtable-plugins/src/excel-import.ts
    • Add import for dompurify (as DOMPurify).
    • Modify _parseHTMLString to sanitize text before parsing.
Suggested changeset 2
packages/vtable-plugins/src/excel-import.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vtable-plugins/src/excel-import.ts b/packages/vtable-plugins/src/excel-import.ts
--- a/packages/vtable-plugins/src/excel-import.ts
+++ b/packages/vtable-plugins/src/excel-import.ts
@@ -4,7 +4,7 @@
 import { importExcelMultipleSheets, importCsvFile } from './excel-import/excel';
 import { applyImportToVTableSheet } from './excel-import/vtable-sheet';
 import type { ExcelImportOptions, ImportResult, MultiSheetImportResult } from './excel-import/types';
-
+import DOMPurify from 'dompurify';
 export type { ExcelImportOptions, ImportResult, MultiSheetImportResult, SheetData } from './excel-import/types';
 
 /**
@@ -652,8 +652,10 @@
    * 解析HTML字符串
    */
   private async _parseHTMLString(text: string, options: ExcelImportOptions): Promise<ImportResult> {
+    // Sanitize HTML to avoid XSS issues from untrusted input
+    const sanitized = DOMPurify.sanitize(text, { ALLOWED_TAGS: ['table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td'], ALLOWED_ATTR: [] });
     const parser = new DOMParser();
-    const doc = parser.parseFromString(text, 'text/html');
+    const doc = parser.parseFromString(sanitized, 'text/html');
     const table = doc.querySelector('table');
 
     if (!table) {
EOF
@@ -4,7 +4,7 @@
import { importExcelMultipleSheets, importCsvFile } from './excel-import/excel';
import { applyImportToVTableSheet } from './excel-import/vtable-sheet';
import type { ExcelImportOptions, ImportResult, MultiSheetImportResult } from './excel-import/types';

import DOMPurify from 'dompurify';
export type { ExcelImportOptions, ImportResult, MultiSheetImportResult, SheetData } from './excel-import/types';

/**
@@ -652,8 +652,10 @@
* 解析HTML字符串
*/
private async _parseHTMLString(text: string, options: ExcelImportOptions): Promise<ImportResult> {
// Sanitize HTML to avoid XSS issues from untrusted input
const sanitized = DOMPurify.sanitize(text, { ALLOWED_TAGS: ['table', 'thead', 'tbody', 'tfoot', 'tr', 'th', 'td'], ALLOWED_ATTR: [] });
const parser = new DOMParser();
const doc = parser.parseFromString(text, 'text/html');
const doc = parser.parseFromString(sanitized, 'text/html');
const table = doc.querySelector('table');

if (!table) {
packages/vtable-plugins/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vtable-plugins/package.json b/packages/vtable-plugins/package.json
--- a/packages/vtable-plugins/package.json
+++ b/packages/vtable-plugins/package.json
@@ -45,7 +45,8 @@
     "big.js": "6.2.2",
     "exceljs": "4.4.0",
     "file-saver": "2.0.5",
-    "@types/file-saver": "2.0.7"
+    "@types/file-saver": "2.0.7",
+    "dompurify": "^3.3.1"
   },
   "peerDependencies": {
     "@visactor/vtable": "workspace:*",
EOF
@@ -45,7 +45,8 @@
"big.js": "6.2.2",
"exceljs": "4.4.0",
"file-saver": "2.0.5",
"@types/file-saver": "2.0.7"
"@types/file-saver": "2.0.7",
"dompurify": "^3.3.1"
},
"peerDependencies": {
"@visactor/vtable": "workspace:*",
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.3.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
@fangsmile fangsmile merged commit b8f6153 into develop Dec 17, 2025
4 of 7 checks passed
@fangsmile fangsmile deleted the feat/excel-multiply-sheet-import branch December 17, 2025 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rui-Sun Rui-Sun Rui-Sun approved these changes

Assignees

No one assigned

Labels

chore docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fangsmile @Rui-Sun