Ensure title is escaped

Author: 0b10011

CHANGELOG.md

@@ -29,6 +29,7 @@ This release marked the addition of strict typing and return type declarations (
 - Fix HTML border-color parsing. @troosan #1551 #1570
 - Fixed specifying cell widths, background color, etc on `PhpOffice\PhpWord\Style\Cell` @0b10011 #1669
 - Escape arrays of replacements in `TemplateProcessor` @0b10011 #1669
+- Escape text provided for `<title>` when exporting to HTML @0b10011
 
 ### Miscellaneous
 -

src/PhpWord/Writer/HTML/Part/Head.php

@@ -54,24 +54,32 @@ public function write()
         $title = $docProps->getTitle();
         $title = ($title != '') ? $title : 'PHPWord';
 
-        $content = '';
+        $html = '';
 
-        $content .= '<head>' . PHP_EOL;
-        $content .= '<meta charset="UTF-8" />' . PHP_EOL;
-        $content .= '<title>' . $title . '</title>' . PHP_EOL;
-        foreach ($propertiesMapping as $key => $value) {
-            $value = ($value == '') ? $key : $value;
+        $html .= '<head>' . PHP_EOL;
+        $html .= '<meta charset="UTF-8" />' . PHP_EOL;
+        $html .= '<title>' . (Settings::isOutputEscapingEnabled() ? $this->escaper->escapeHtml($title) : $title) . '</title>' . PHP_EOL;
+        foreach ($propertiesMapping as $key => $name) {
+            $name = ($name == '') ? $key : $name;
             $method = 'get' . $key;
-            if ($docProps->$method() != '') {
-                $content .= '<meta name="' . $value . '"'
-                          . ' content="' . (Settings::isOutputEscapingEnabled() ? $this->escaper->escapeHtmlAttr($docProps->$method()) : $docProps->$method()) . '"'
-                          . ' />' . PHP_EOL;
+
+            $content = $docProps->$method();
+            if ($content === '') {
+                continue;
+            }
+
+            if (Settings::isOutputEscapingEnabled()) {
+                $content = $this->escaper->escapeHtmlAttr($content);
             }
+
+            $html .= '<meta name="' . $name . '"'
+                      . ' content="' . $content . '"'
+                      . ' />' . PHP_EOL;
         }
-        $content .= $this->writeStyles();
-        $content .= '</head>' . PHP_EOL;
+        $html .= $this->writeStyles();
+        $html .= '</head>' . PHP_EOL;
 
-        return $content;
+        return $html;
     }
 
     /**
@@ -81,7 +89,12 @@ public function write()
      */
     private function writeStyles()
     {
-        $css = '<style>' . PHP_EOL;
+        // Stylesheets with the title "PHPWord Base Styles"
+        // are ignored during read
+        // so we can make the HTML document look nice
+        // without interfering with the styles
+        // when we import.
+        $css = '<style title="PHPWord Base Styles">' . PHP_EOL;
 
         // Default styles
         $defaultStyles = array(

tests/PhpWord/Writer/HTMLTest.php

@@ -147,6 +147,28 @@ public function testSave()
         unlink($file);
     }
 
+    public function testEscaping()
+    {
+        $file = __DIR__ . '/../_files/temp.html';
+
+        $phpWord = new PhpWord();
+        Settings::setOutputEscapingEnabled(true);
+
+        $docProps = $phpWord->getDocInfo();
+        $docProps->setTitle('"Test" & <hack>');
+
+        $writer = new HTML($phpWord);
+
+        $writer->save($file);
+        $this->assertFileExists($file);
+        $html = file_get_contents($file);
+
+        $this->assertInternalType('int', strpos($html, '<title>&quot;Test&quot; &amp; &lt;hack&gt;</title>'), 'Quotes, ampersand, and tag should be escaped in title value');
+        $this->assertInternalType('int', strpos($html, '<meta name="title" content="&quot;Test&quot;&#x20;&amp;&#x20;&lt;hack&gt;" />'), 'Quotes, ampersand, and tag should be escaped in attribute');
+
+        unlink($file);
+    }
+
     public function testTitle()
     {
         $file = __DIR__ . '/../_files/temp.html';