Fix OOXML schema validity, correctness, perf, and security issues#30
Merged
SimonCropp merged 1 commit intoJun 26, 2026
Conversation
Correctness: - Tables: derive column count from the rowspan grid so cells in later, wider rows are no longer silently dropped - Tables: thread FootnoteIndex/BookmarkId through per-cell contexts and seed FootnoteIndex from the existing part, so footnote and bookmark IDs no longer collide across cells or across Build calls - Emit w:rPr and w:tcPr children in OOXML schema order; previously the output was schema-invalid and only tolerated by Word - Cell margins emit w:left/w:right instead of the invalid w:start/w:end - ColorParser: accept percentage and decimal rgb()/rgba() components - vertical-align is matched case-insensitively - word-spacing no longer doubles letter-spacing - @page: match the closing brace and skip nested margin-box rules so sibling declarations (margin/size) are not lost Performance: - Parse each element's inline style once instead of twice - Allocate list numbering IDs from the threaded NextNumId counter rather than rescanning the numbering part per list (O(m^2) -> O(m)) - Compute ordered-list item indices in a single pass (O(n^2) -> O(n)) Security: - Image fetch: disable auto-redirect and re-check each redirect hop against the image policy (closes a SafeDomains/SSRF bypass), cap the response size, set a timeout, and parse width/height with InvariantCulture Tests: - Add rowspan, footnote-id, bookmark-id, and OpenXmlValidator round-trip tests, plus rgb() percentage cases - Regenerate affected verified baselines (structural reordering only; rendered text/image output unchanged)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Correctness:
Performance:
Security:
Tests: