sheetjs/docs.sheetjs.com
1
Fork 7
Code Issues Pull Requests 4 Projects Releases Wiki Activity

security note about javascript: links

Browse Source
This commit is contained in:
SheetJS 2026-01-25 15:10:48 -05:00
parent 67d7c1f993
commit 6532f9fea8
13 changed files with 150 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docz/docs/02-getting-started/02-examples/06-loader.md
View File

@ -37,7 +37,7 @@ This demo was tested in the following configurations:
|:------------------------------------------------------------------|:-------------|:-----------|
| NVIDIA RTX PRO 6000 (96 GB VRAM) + Ryzen Z2 Go (32 GB RAM) | `win11-x64` | 2025-11-15 |
| NVIDIA RTX PRO 6000 (96 GB VRAM) + Ryzen Z2 Go (32 GB RAM) | `linux-x64` | 2025-11-15 |
| NVIDIA RTX 5090 (32 GB VRAM) + Ryzen Z2 Go (32 GB RAM) | `win11-x64` | 2025-11-15 |
| NVIDIA RTX 5090 (32 GB VRAM) + Ryzen Z2 (32 GB RAM) | `win11-x64` | 2026-01-25 |
| NVIDIA RTX 5090 (32 GB VRAM) + Ryzen Z2 Go (32 GB RAM) | `linux-x64` | 2025-11-15 |
| AMD AI PRO R9700 (32 GB VRAM) + Ryzen Z1 Extreme (16 GB RAM) | `win11-x64` | 2026-01-17 |
| AMD AI PRO R9700 (32 GB VRAM) + Ryzen Z1 Extreme (16 GB RAM) | `linux-x64` | 2026-01-17 |

18
docz/docs/03-demos/01-math/21-pandas.md
View File

@ -41,7 +41,7 @@ This demo was tested in the following deployments:
| Architecture | JS Engine | Pandas | Python | Date |
|:-------------|:----------------|:-------|:-------|:-----------|
| `darwin-x64` | Duktape `2.7.0` | 2.2.3 | 3.13.1 | 2025-03-31 |
| `darwin-arm` | Duktape `2.7.0` | 2.2.3 | 3.13.2 | 2025-03-30 |
| `darwin-arm` | Duktape `2.7.0` | 2.3.3 | 3.9.6 | 2026-01-25 |
| `win11-x64` | Duktape `2.7.0` | 2.2.3 | 3.11.9 | 2025-04-28 |
| `win11-arm` | Duktape `2.7.0` | 2.2.3 | 3.13.2 | 2025-02-23 |
| `linux-x64` | Duktape `2.7.0` | 2.1.4 | 3.12.3 | 2025-06-16 |
@ -542,14 +542,14 @@ The Pandas example requires a few slight changes to work with Polars:
This demo was tested in the following deployments:
| Architecture | JS Engine | Polars | Python | Date |
|:-------------|:----------------|:--------|:-------|:-----------|
| `darwin-x64` | Duktape `2.7.0` | 1.26.0 | 3.13.1 | 2025-03-31 |
| `darwin-arm` | Duktape `2.7.0` | 1.26.0 | 3.13.2 | 2025-03-30 |
| `win11-x64` | Duktape `2.7.0` | 1.28.1 | 3.11.9 | 2025-04-28 |
| `win11-arm` | Duktape `2.7.0` | 1.23.0 | 3.13.2 | 2025-02-23 |
| `linux-x64` | Duktape `2.7.0` | 1.30.0 | 3.12.3 | 2025-06-16 |
| `linux-arm` | Duktape `2.7.0` | 1.22.0 | 3.11.2 | 2025-02-16 |
| Architecture | JS Engine | Polars | Python | Date |
|:-------------|:----------------|:-------|:-------|:-----------|
| `darwin-x64` | Duktape `2.7.0` | 1.26.0 | 3.13.1 | 2025-03-31 |
| `darwin-arm` | Duktape `2.7.0` | 1.36.1 | 3.9.6 | 2026-01-25 |
| `win11-x64` | Duktape `2.7.0` | 1.28.1 | 3.11.9 | 2025-04-28 |
| `win11-arm` | Duktape `2.7.0` | 1.23.0 | 3.13.2 | 2025-02-23 |
| `linux-x64` | Duktape `2.7.0` | 1.30.0 | 3.12.3 | 2025-06-16 |
| `linux-arm` | Duktape `2.7.0` | 1.22.0 | 3.11.2 | 2025-02-16 |
:::

4
docz/docs/03-demos/17-mobile/07-lynx.md
View File

@ -13,6 +13,7 @@ import current from '/version.js';
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import CodeBlock from '@theme/CodeBlock';
import Link from '@docusaurus/Link';
export const r = {style: {color:"red"}};
export const g = {style: {color:"green"}};
@ -257,7 +258,8 @@ curl -o ./src/App.tsx https://docs.sheetjs.com/lynx/App.tsx
```bash
curl -o ./src/App.css https://docs.sheetjs.com/lynx/App.css
```
<a name="step5"></a>
<Link id="step5"/>
5) Start the development server:

10
docz/docs/03-demos/42-engines/01-duktape.md
View File

@ -406,7 +406,7 @@ This demo was tested in the following deployments:
| Architecture | Version | PHP | Date |
|:-------------|:--------|:---------|:-----------|
| `darwin-x64` | `2.7.0` | `8.4.11` | 2026-01-21 |
| `darwin-arm` | `2.7.0` | `8.4.4` | 2025-02-25 |
| `darwin-arm` | `2.7.0` | `8.4.8` | 2026-01-23 |
| `linux-x64` | `2.7.0` | `8.3.6` | 2025-04-21 |
| `linux-arm` | `2.7.0` | `8.2.26` | 2025-02-15 |
@ -548,7 +548,7 @@ This demo was tested in the following deployments:
| Architecture | Version | Python | Date |
|:-------------|:--------|:---------|:-----------|
| `darwin-x64` | `2.7.0` | `3.13.7` | 2026-01-21 |
| `darwin-arm` | `2.7.0` | `3.12.3` | 2025-03-30 |
| `darwin-arm` | `2.7.0` | `3.12.3` | 2026-01-23 |
| `linux-x64` | `2.7.0` | `3.12.3` | 2025-04-21 |
| `linux-arm` | `2.7.0` | `3.11.2` | 2025-02-15 |
@ -1017,8 +1017,8 @@ This demo was tested in the following deployments:
| Architecture | Version | Date |
|:-------------|:--------|:-----------|
| `darwin-x64` | `2.2.0` | 2026-02-21 |
| `darwin-arm` | `2.2.0` | 2025-03-30 |
| `darwin-x64` | `2.2.0` | 2026-01-21 |
| `darwin-arm` | `2.2.0` | 2026-01-23 |
| `linux-x64` | `2.2.0` | 2025-04-21 |
| `linux-arm` | `2.2.0` | 2025-02-15 |
@ -1113,7 +1113,7 @@ This demo was tested in the following deployments:
| Architecture | Version | Date |
|:-------------|:--------|:-----------|
| `darwin-x64` | `2.2.1` | 2026-01-21 |
| `darwin-arm` | `2.2.1` | 2025-03-31 |
| `darwin-arm` | `2.2.1` | 2026-01-23 |
| `win11-x64` | `2.2.1` | 2025-04-17 |
| `linux-x64` | `2.2.1` | 2026-01-08 |
| `linux-arm` | `2.2.1` | 2025-04-18 |

2
docz/docs/03-demos/42-engines/05-jint.md
View File

@ -164,7 +164,7 @@ This demo was tested in the following deployments:
| Architecture | Jint | Date |
|:-------------|:--------|:-----------|
| `darwin-x64` | `4.5.0` | 2026-01-21 |
| `darwin-arm` | `4.2.0` | 2025-02-13 |
| `darwin-arm` | `4.5.0` | 2026-01-23 |
| `win11-x64` | `4.2.2` | 2026-04-28 |
| `win11-arm` | `4.2.0` | 2025-02-23 |
| `linux-x64` | `4.2.2` | 2025-06-16 |

14
docz/docs/03-demos/42-engines/09-hermes.md
View File

@ -365,7 +365,7 @@ This demo was tested in the following deployments:
| Architecture | Git Commit | Date |
|:-------------|:-----------|:-----------|
| `darwin-x64` | `8ef11b4` | 2025-03-31 |
| `darwin-arm` | `8ef11b4` | 2025-09-03 |
| `darwin-arm` | `f45c6bc` | 2026-01-23 |
| `linux-x64` | `8ef11b4` | 2025-04-21 |
| `linux-arm` | `388376f` | 2025-02-15 |
@ -586,9 +586,15 @@ cp ./build_release/jsi/libjsi.so .
</TabItem>
<TabItem value="darwin" label="MacOS">
:::note pass
Some Hermes releases build static libraries, rendering this step unnecessary.
:::
```bash
cp ./build_release/API/hermes/libhermes.dylib .
cp ./build_release/jsi/libjsi.dylib .
if [ -e ./build_release/API/hermes/libhermes.dylib ]; then cp ./build_release/API/hermes/libhermes.dylib .; fi
if [ -e ./build_release/jsi/libjsi.dylib ]; then cp ./build_release/jsi/libjsi.dylib .; fi
```
</TabItem>
@ -848,7 +854,7 @@ This demo was tested in the following deployments:
| Architecture | Hermes | Date |
|:-------------|:---------|:-----------|
| `darwin-x64` | `0.13.0` | 2025-03-31 |
| `darwin-arm` | `0.13.0` | 2025-04-23 |
| `darwin-arm` | `0.13.0` | 2026-01-23 |
| `win11-x64` | `0.13.0` | 2025-04-28 |
| `win11-arm` | `0.13.0` | 2025-02-23 |
| `linux-x64` | `0.13.0` | 2025-04-21 |

3
docz/docs/08-api/05-write-options.md
View File

@ -8,6 +8,7 @@ import current from '/version.js';
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import CodeBlock from '@theme/CodeBlock';
import Link from '@docusaurus/Link';
The main SheetJS method for writing workbooks is `write`. It accepts a SheetJS
[workbook object](/docs/csf/book) and returns the file data stored in common
@ -135,7 +136,7 @@ The write functions accept an options argument:
## Supported Output Formats
<a name="bookType"></a>
<Link id="bookType"/>
For broad compatibility with third-party tools, SheetJS CE supports many output
formats. The writer will select the file type based on the `bookType` option:

9
docz/docs/09-miscellany/06-security.md
View File

@ -25,6 +25,15 @@ Metadata standards. XLSX files must reference `http://purl.org/dc/elements/1.1/`
Any tool that generates XML files must generate URLs to domains outside of the
control of the vendor.
### JavaScript Links
Excel and other spreadsheet tools support hyperlinks using the `javascript:`
protocol. When exporting to HTML, they will not sanitize or strip these URLs.
**Microsoft does not currently believe this is a vulnerability!**
The SheetJS HTML exporter mirrors established behavior.
### Non-ASCII Characters
XLS, CSV and other legacy file formats use system-specific encodings. Excel and

14
docz/static/hermes/Makefile
View File

@ -1,5 +1,5 @@
# Note: The official Hermes documentation includes zero guidance on embedding.=
# Tested against commit 8ef11b45d7b078434605658421efb34cf436c005 on darwin-x64
# Tested against commit f45c6bcb2d6e6516b25abbf6c5964f9dc95c5761 on darwin-x64
# History https://git.sheetjs.com/sheetjs/docs.sheetjs.com/commits/branch/master/docz/static/hermes/Makefile
MYCC=llvm-g++
@ -33,8 +33,8 @@ clean-all: clean
sheetjs-hermes: sheetjs-hermes.cpp init
$(MYCC) $< -o $@ -std=gnu++17 \
-Ihermes/include/ -Ihermes/API/ -Ihermes/API/jsi -Ihermes/public \
-Lbuild_release/API/hermes/ -lsynthTrace -lsynthTraceParser \
-lhermes \
-Lbuild_release/API/hermes/ -lsynthTrace -lsynthTraceParser \
-lhermesapi \
-Lbuild_release/lib/VM/ -lhermesVMRuntime \
-Lbuild_release/lib/BCGen/HBC/ -lhermesHBCBackend \
-Lbuild_release/lib/BCGen/ -lhermesBackend \
@ -53,16 +53,16 @@ sheetjs-hermes: sheetjs-hermes.cpp init
-Lbuild_release/lib/CompilerDriver/ -lhermesCompilerDriver \
-Lbuild_release/lib/ConsoleHost/ -lhermesConsoleHost \
-Lbuild_release/lib/DependencyExtractor/ -lhermesDependencyExtractor \
-Lbuild_release/lib/FlowParser/ -lhermesFlowParser \
-Lbuild_release/lib/FrontEndDefs/ -lhermesFrontEndDefs \
-Lbuild_release/lib/Inst/ -lhermesInst \
-Lbuild_release/lib/InternalBytecode/ -lhermesInternalBytecode \
-Lbuild_release/lib/Platform/ -lhermesPlatform \
-Lbuild_release/lib/Platform/Intl/ -lhermesBCP47Parser \
-Lbuild_release/lib/Regex/ -lhermesRegex \
-Lbuild_release/lib/Support/ -lhermesSupport \
-Lbuild_release/lib/Sema/ -lhermesSema \
-Lbuild_release/lib/InternalJavaScript/ -lhermesInternalUnit -lhermesInternalBytecode \
-Lbuild_release/external/boost/boost_1_86_0/libs/context/ -lboost_context \
-Lbuild_release/public/hermes/Public -lhermesPublic \
-Lhermes/external/flowparser/ -lflowparser-mac \
-Lbuild_release/external/dtoa/ -ldtoa \
$(POSTAMBLE)
@ -71,5 +71,5 @@ sheetjs-hermes.cpp:
.PHONY: init
init:
if [ ! -e hermes ]; then git clone https://github.com/facebook/hermes.git; cd hermes; git checkout 8ef11b45d7b078434605658421efb34cf436c005; cd ..; fi
if [ ! -e hermes ]; then git clone https://github.com/facebook/hermes.git; cd hermes; git checkout f45c6bcb2d6e6516b25abbf6c5964f9dc95c5761; cd ..; fi
if [ ! -e build_release ]; then cmake -S hermes -B build_release -G Ninja -DCMAKE_BUILD_TYPE=Release -DHERMES_BUILD_APPLE_FRAMEWORK=OFF; cmake --build ./build_release; fi

19
tests/engines/hermes.sh
View File

@ -12,17 +12,22 @@ curl -LO https://docs.sheetjs.com/hermes/sheetjs-hermes.cpp
make init
# CMake 4 workaround
rm -rf build_release
cp hermes/CMakeLists.txt hermes/CMakeLists.bak
awk 'NR != 42' <hermes/CMakeLists.bak >hermes/CMakeLists.txt
make init
#rm -rf build_release
#cp hermes/CMakeLists.txt hermes/CMakeLists.bak
#awk 'NR != 42' <hermes/CMakeLists.bak >hermes/CMakeLists.txt
#make init
make sheetjs-hermes
curl -LO https://cdn.sheetjs.com/xlsx-latest/package/dist/xlsx.full.min.js
curl -LO https://sheetjs.com/pres.numbers
curl -LO https://docs.sheetjs.com/pres.numbers
cp ./build_release/API/hermes/libhermes.* .
cp ./build_release/jsi/libjsi.* .
# Linux
if [ -e ./build_release/API/hermes/libhermes.so ]; then cp ./build_release/API/hermes/libhermes.so .; fi
if [ -e ./build_release/jsi/libjsi.so ]; then cp ./build_release/jsi/libjsi.so .; fi
# macOS
if [ -e ./build_release/API/hermes/libhermes.dylib ]; then cp ./build_release/API/hermes/libhermes.dylib .; fi
if [ -e ./build_release/jsi/libjsi.dylib ]; then cp ./build_release/jsi/libjsi.dylib .; fi
./sheetjs-hermes pres.numbers; echo $?

39
tests/math/pandas.sh Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
# https://docs.sheetjs.com/docs/demos/math/pandas
OS=$(uname -s)
cd /tmp
rm -rf sheetjs-pandas
mkdir sheetjs-pandas
cd sheetjs-pandas
curl -LO https://duktape.org/duktape-2.7.0.tar.xz
tar -xJf duktape-2.7.0.tar.xz
cd duktape-2.7.0
make -f Makefile.sharedlibrary
cd ..
OS="$(uname -s)"
case "$OS" in
Darwin) LIB_NAME="libduktape.207.20700.so" ;;
Linux) LIB_NAME="libduktape.so.207.20700" ;;
*) echo "Unsupported OS: $OS"; exit 1 ;;
esac
cp "duktape-2.7.0/$LIB_NAME" .
curl -LO https://cdn.sheetjs.com/xlsx-latest/package/dist/shim.min.js
curl -LO https://cdn.sheetjs.com/xlsx-latest/package/dist/xlsx.full.min.js
curl -LO https://docs.sheetjs.com/pres.numbers
curl -LO https://docs.sheetjs.com/pandas/sheetjs.py
curl -LO https://docs.sheetjs.com/pandas/SheetJSPandas.py
sed "s#libduktape.207.20700.so#$LIB_NAME#g" sheetjs.py > sheetjs.py.tmp
mv sheetjs.py.tmp sheetjs.py
python3 SheetJSPandas.py pres.numbers || python SheetJSPandas.py pres.numbers
npx -y xlsx-cli SheetJSPandas.xlsb

51
tests/math/polars.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# https://docs.sheetjs.com/docs/demos/math/pandas
OS=$(uname -s)
cd /tmp
rm -rf sheetjs-polars
mkdir sheetjs-polars
cd sheetjs-polars
curl -LO https://duktape.org/duktape-2.7.0.tar.xz
tar -xJf duktape-2.7.0.tar.xz
cd duktape-2.7.0
make -f Makefile.sharedlibrary
cd ..
OS="$(uname -s)"
case "$OS" in
Darwin) LIB_NAME="libduktape.207.20700.so" ;;
Linux) LIB_NAME="libduktape.so.207.20700" ;;
*) echo "Unsupported OS: $OS"; exit 1 ;;
esac
cp "duktape-2.7.0/$LIB_NAME" .
curl -LO https://cdn.sheetjs.com/xlsx-latest/package/dist/shim.min.js
curl -LO https://cdn.sheetjs.com/xlsx-latest/package/dist/xlsx.full.min.js
curl -LO https://docs.sheetjs.com/pres.numbers
curl -LO https://docs.sheetjs.com/pandas/sheetjs.py
curl -LO https://docs.sheetjs.com/pandas/SheetJSPandas.py
sed "s#libduktape.207.20700.so#$LIB_NAME#g" sheetjs.py > sheetjs.py.tmp
mv sheetjs.py.tmp sheetjs.py
sed "s#from pandas import read_csv#from polars import read_csv#g" sheetjs.py > sheetjs.py.tmp
mv sheetjs.py.tmp sheetjs.py
sed 's#json = df.to_json(orient="records")#json = df.write_json()#g' sheetjs.py > sheetjs.py.tmp
mv sheetjs.py.tmp sheetjs.py
sed 's#print(df.info())#print(df)#g' SheetJSPandas.py > SheetJSPandas.py.tmp
mv SheetJSPandas.py.tmp SheetJSPandas.py
sed 's#SheetJSPandas.xlsb#SheetJSPolars.xlsb#g' SheetJSPandas.py > SheetJSPandas.py.tmp
mv SheetJSPandas.py.tmp SheetJSPandas.py
python3 SheetJSPandas.py pres.numbers || python SheetJSPandas.py pres.numbers
npx -y xlsx-cli SheetJSPolars.xlsb

2
tests/tutorials/export/bun.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash
# https://docs.sheetjs.com/docs/getting-started/installation/deno
# https://docs.sheetjs.com/docs/getting-started/installation/bun
cd /tmp
rm -rf sheetjs-bun