Free Support Forum -

Injection risk on converting Excel to HTML

In one of the cells, the excel sheet has got:

< iframe src = https : /fly .com / >

When I export this workbook as HTML, instead of this being considered as a String , the HTML element is generated. This exposes my application to the risk of injection. Could anyone provide a solution as to how this can be prevented?

If there is any HTML code written in the Excel sheet, I would want it to be considered as a String and to appear in the HTML as plain text.

I am using Aspose Cells 18.4 for Java.

I have provided extra spaces in
< iframe src = https : /fly .com / >
If I remove the spaces the iframe gets injected into this page too.

Find the excel file, exported HTML file and the JAVA file attached below: (14.9 KB)


Please use Aspose.Cells for Java 18.7 on your end. Also upload source and output files with a code snippet and the link of thread where you have noticed same problem reported.

I have attached the files. Kindly take a look at it. Thanks.


Thanks for the sample code and template file.

Please try to change the line of code (from your code segment), i.e.,

Please note, when you specify true, it will parse HTML tags (in the cells) as value(string). When setting “false”, it will process HTML tags (in the cells) and embeds its HTML elements.

Thank you. That worked fine.


Good to know that your issue is sorted out by the suggested line of code. Feel free to contact us any time if you need further help or have some other issue or queries, we will be happy to assist you soon.

Well if I have an excel sheet in which I want some cells containing HTML to be treated as string and some cells containing HTML to be treated as HTML on exporting to HTML, is there any way to do that?

Suppose I have < iframe src = https : /fly .com / > in cells A1 and A2. On exporting to HTML , I would want A1 to be treated as plain text. And want A2 to be treated as an HTML element.

Is this possible in any way?


I am afraid, either you can render/have plain text or process HTML tags in the cells. You may not have both things at the same time directly.


See the post for your reference:

Thank you :slight_smile:


You are welcome.