Text should be escaped as it's being parsed into XML files

[c00]

In at least the Section::addText() function, data is not being escaped properly. Adding text that would be considered invalid in XML will result in a corrupt Word output file.

In the following example the unescaped ampersand is causing the corruption.

$word = new PhpWord();
$section = $word->addSection();

//This will cause a corrupt docx file.
$section->addText("This is bad & not good.");

//This will work fine
$section->addText(htmlentities("This is alright & good.", ENT_XML1));

//This also works.
$section->addText("This is okay & tedious.");

$objWriter = IOFactory::createWriter($word, 'Word2007');
$objWriter->save("C:\\foo\\bar.docx");

Opening the resulting file will result in a parsing error.

The solution would be to auto-escape all text added through addText() functions. Possibly other functions as well

[ldurfee]

I believe I am having this same issue.

[ldurfee]

I can confirm that this is the issue I am having. I wrapped the data in htmlentities and it then would open in Word.

[c00]

Great, that means I'm not alone. I couldn't easily find the place in the code where to change this, I hope one of the contributors can do that!

[alder]

Confirm - I am having the same issue with setValue() in TemplateProcessor. Temporary solution - wrap string data in htmlentities().

[troosan]

If you first call

Settings::setOutputEscapingEnabled(true);

The xml entities will get escaped.
The default value for this is (unfortunately) false for backward compatibility reasons.