Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Excel (XLSB/XLSX/XLSM/XLS/XML) and ODS spreadsheet parser and writer (extended to enable read/write of cell formats with xlsx files)
Parser and writer for various spreadsheet formats. Pure-JS cleanroom implementation from official specifications and related documents.
NOTE: This project is a fork of the original (and awesome) SheetJS/xlsx project. It is extended to enable cell formats to be read from and written to .xlsx workbooks. The intent is to provide a temporary means of using these features in practice, and ultimately to merge this into the primary project. Report any issues to https://github.com/protobi/js-xlsx/issues.
For those contributing to this fork:
master
is the main branch, which follows the original repo to enable a future pull request.beta
branch is published to npm and bower to make this fork available for use.Supported read formats:
Supported write formats:
Demo: http://oss.sheetjs.com/js-xlsx
Source: http://git.io/xlsx
With npm:
npm install xlsx-style --save
In the browser:
<script lang="javascript" src="dist/xlsx.core.min.js"></script>
With bower:
bower install js-xlsx-style#beta
CDNjs automatically pulls the latest version and makes all versions available at http://cdnjs.com/libraries/xlsx
The node version automatically requires modules for additional features. Some of these modules are rather large in size and are only needed in special circumstances, so they do not ship with the core. For browser use, they must be included directly:
<!-- international support from https://github.com/sheetjs/js-codepage -->
<script src="dist/cpexcel.js"></script>
<!-- ODS support -->
<script src="dist/ods.js"></script>
An appropriate version for each dependency is included in the dist/ directory.
The complete single-file version is generated at dist/xlsx.full.min.js
Since xlsx.js uses ES5 functions like Array#forEach
, older browsers require
Polyfills. This repo and the gh-pages branch include
a shim
To use the shim, add the shim before the script tag that loads xlsx.js:
<script type="text/javascript" src="/path/to/shim.js"></script>
For parsing, the first step is to read the file. This involves acquiring the data and feeding it into the library. Here are a few common scenarios:
if(typeof require !== 'undefined') XLSX = require('xlsx');
var workbook = XLSX.readFile('test.xlsx');
/* DO SOMETHING WITH workbook HERE */
/* set up XMLHttpRequest */
var url = "test_files/formula_stress_test_ajax.xlsx";
var oReq = new XMLHttpRequest();
oReq.open("GET", url, true);
oReq.responseType = "arraybuffer";
oReq.onload = function(e) {
var arraybuffer = oReq.response;
/* convert data to binary string */
var data = new Uint8Array(arraybuffer);
var arr = new Array();
for(var i = 0; i != data.length; ++i) arr[i] = String.fromCharCode(data[i]);
var bstr = arr.join("");
/* Call XLSX */
var workbook = XLSX.read(bstr, {type:"binary"});
/* DO SOMETHING WITH workbook HERE */
}
oReq.send();
/* set up drag-and-drop event */
function handleDrop(e) {
e.stopPropagation();
e.preventDefault();
var files = e.dataTransfer.files;
var i, f;
for (i = 0, f = files[i]; i != files.length; ++i) {
var reader = new FileReader();
var name = f.name;
reader.onload = function(e) {
var data = e.target.result;
/* if binary string, read with type 'binary' */
var workbook = XLSX.read(data, {type: 'binary'});
/* DO SOMETHING WITH workbook HERE */
};
reader.readAsBinaryString(f);
}
}
drop_dom_element.addEventListener('drop', handleDrop, false);
function handleFile(e) {
var files = e.target.files;
var i, f;
for (i = 0, f = files[i]; i != files.length; ++i) {
var reader = new FileReader();
var name = f.name;
reader.onload = function(e) {
var data = e.target.result;
var workbook = XLSX.read(data, {type: 'binary'});
/* DO SOMETHING WITH workbook HERE */
};
reader.readAsBinaryString(f);
}
}
input_dom_element.addEventListener('change', handleFile, false);
The full object format is described later in this README.
This example extracts the value stored in cell A1 from the first worksheet:
var first_sheet_name = workbook.SheetNames[0];
var address_of_cell = 'A1';
/* Get worksheet */
var worksheet = workbook.Sheets[first_sheet_name];
/* Find desired cell */
var desired_cell = worksheet[address_of_cell];
/* Get the value */
var desired_value = desired_cell.v;
This example iterates through every nonempty of every sheet and dumps values:
var sheet_name_list = workbook.SheetNames;
sheet_name_list.forEach(function(y) { /* iterate through sheets */
var worksheet = workbook.Sheets[y];
for (z in worksheet) {
/* all keys that do not begin with "!" correspond to cell addresses */
if(z[0] === '!') continue;
console.log(y + "!" + z + "=" + JSON.stringify(worksheet[z].v));
}
});
Complete examples:
Note that older versions of IE does not support HTML5 File API, so the base64 mode is provided for testing. On OSX you can get the base64 encoding with:
$ <target_file.xlsx base64 | pbcopy
http://oss.sheetjs.com/js-xlsx/ajax.html XMLHttpRequest
https://github.com/SheetJS/js-xlsx/blob/master/bin/xlsx.njs node
The node version installs a command line tool xlsx
which can read spreadsheet
files and output the contents in various formats. The source is available at
xlsx.njs
in the bin directory.
Some helper functions in XLSX.utils
generate different views of the sheets:
XLSX.utils.sheet_to_csv
generates CSVXLSX.utils.sheet_to_json
generates an array of objectsXLSX.utils.sheet_to_formulae
generates a list of formulaeFor writing, the first step is to generate output data. The helper functions
write
and writeFile
will produce the data in various formats suitable for
dissemination. The second step is to actual share the data with the end point.
Assuming workbook
is a workbook object:
/* output format determined by filename */
XLSX.writeFile(workbook, 'out.xlsx');
/* at this point, out.xlsx is a file that you can distribute */
/* bookType can be 'xlsx' or 'xlsm' or 'xlsb' */
var wopts = { bookType:'xlsx', bookSST:false, type:'binary' };
var wbout = XLSX.write(workbook,wopts);
function s2ab(s) {
var buf = new ArrayBuffer(s.length);
var view = new Uint8Array(buf);
for (var i=0; i!=s.length; ++i) view[i] = s.charCodeAt(i) & 0xFF;
return buf;
}
/* the saveAs call downloads a file on the local machine */
saveAs(new Blob([s2ab(wbout)],{type:""}), "test.xlsx")
Complete examples:
XLSX
is the exposed variable in the browser and the exported node variable
XLSX.version
is the version of the library (added by the build script).
XLSX.SSF
is an embedded version of the format library.
XLSX.read(data, read_opts)
attempts to parse data
.
XLSX.readFile(filename, read_opts)
attempts to read filename
and parse.
XLSX.write(wb, write_opts)
attempts to write the workbook wb
XLSX.writeFile(wb, filename, write_opts)
attempts to write wb
to filename
Utilities are available in the XLSX.utils
object:
Exporting:
sheet_to_json
converts a workbook object to an array of JSON objects.sheet_to_csv
generates delimiter-separated-values outputsheet_to_formulae
generates a list of the formulae (with value fallbacks)Cell and cell address manipulation:
format_cell
generates the text value for a cell (using number formats){en,de}code_{row,col}
convert between 0-indexed rows/cols and A1 forms.{en,de}code_cell
converts cell addresses{en,de}code_range
converts cell rangesjs-xlsx conforms to the Common Spreadsheet Format (CSF):
Cell address objects are stored as {c:C, r:R}
where C
and R
are 0-indexed
column and row numbers, respectively. For example, the cell address B5
is
represented by the object {c:1, r:4}
.
Cell range objects are stored as {s:S, e:E}
where S
is the first cell and
E
is the last cell in the range. The ranges are inclusive. For example, the
range A3:B7
is represented by the object {s:{c:0, r:2}, e:{c:1, r:6}}
. Utils
use the following pattern to walk each of the cells in a range:
for(var R = range.s.r; R <= range.e.r; ++R) {
for(var C = range.s.c; C <= range.e.c; ++C) {
var cell_address = {c:C, r:R};
}
}
Key | Description |
---|---|
v | raw value (see Data Types section for more info) |
w | formatted text (if applicable) |
t | cell type: b Boolean, n Number, e error, s String, d Date |
f | cell formula (if applicable) |
r | rich text encoding (if applicable) |
h | HTML rendering of the rich text (if applicable) |
c | comments associated with the cell ** |
z | number format string associated with the cell (if requested) |
l | cell hyperlink object (.Target holds link, .tooltip is tooltip) |
s | the style/theme of the cell (if applicable) |
Built-in export utilities (such as the CSV exporter) will use the w
text if it
is available. To change a value, be sure to delete cell.w
(or set it to
undefined
) before attempting to export. The utilities will regenerate the w
text from the number format (cell.z
) and the raw value if possible.
Note: The .z attribute is now deprecated. Use the .s
attribute to specify cell styles including number formats.
To specify a number format, use s.numFmt
, e.g. {v: 42145.822, s: { numFmt: "m/dd/yy"}}
described below.
The raw value is stored in the v
field, interpreted based on the t
field.
Type b
is the Boolean type. v
is interpreted according to JS truth tables
Type e
is the Error type. v
holds the number and w
holds the common name:
Value | Error Meaning |
---|---|
0x00 | #NULL! |
0x07 | #DIV/0! |
0x0F | #VALUE! |
0x17 | #REF! |
0x1D | #NAME? |
0x24 | #NUM! |
0x2A | #N/A |
0x2B | #GETTING_DATA |
Type n
is the Number type. This includes all forms of data that Excel stores
as numbers, such as dates/times and Boolean fields. Excel exclusively uses data
that can be fit in an IEEE754 floating point number, just like JS Number, so the
v
field holds the raw number. The w
field holds formatted text.
Type d
is the Date type, generated only when the option cellDates
is passed.
Since JSON does not have a natural Date type, parsers are generally expected to
store ISO 8601 Date strings like you would get from date.toISOString()
. On
the other hand, writers and exporters should be able to handle date strings and
JS Date objects. Note that Excel disregards the timezone modifier and treats all
dates in the local timezone. js-xlsx does not correct for this error.
Type s
is the String type. v
should be explicitly stored as a string to
avoid possible confusion.
Each key that does not start with !
maps to a cell (using A-1
notation)
worksheet[address]
returns the cell object for the specified address.
Special worksheet keys (accessible as worksheet[key]
, each starting with !
):
ws['!ref']
: A-1 based range representing the worksheet range. Functions that
work with sheets should use this parameter to determine the range. Cells that
are assigned outside of the range are not processed. In particular, when
writing a worksheet by hand, be sure to update the range. For a longer
discussion, see http://git.io/KIaNKQ
Functions that handle worksheets should test for the presence of !ref
field.
If the !ref
is omitted or is not a valid range, functions are free to treat
the sheet as empty or attempt to guess the range. The standard utilities that
ship with this library treat sheets as empty (for example, the CSV output is an
empty string).
When reading a worksheet with the sheetRows
property set, the ref parameter
will use the restricted range. The original range is set at ws['!fullref']
ws['!cols']
: array of column properties objects. Column widths are actually
stored in files in a normalized manner, measured in terms of the "Maximum
Digit Width" (the largest width of the rendered digits 0-9, in pixels). When
parsed, the column objects store the pixel width in the wpx
field, character
width in the wch
field, and the maximum digit width in the MDW
field.
ws['!merges']
: array of range objects corresponding to the merged cells in
the worksheet. Plaintext utilities are unaware of merge cells. CSV export
will write all cells in the merge range if they exist, so be sure that only
the first cell (upper-left) in the range is set.
ws['!printHeader']
: array of row indices for repeating row headers on print, e.g. [1:1]
to repeat just the first row.
The following properties are currently used when generating an XLSX file, but not yet parsed:
ws['!rowBreaks']
: array of row break points, e.g. [16,32]
ws['!colBreaks']
: array of col break points, e.g. [8,16]
ws['!pageSetup']
: `{scale: '100', orientation: 'portrait'||'landscape'}ws['!printHeader']
: array of first and last row indexes for repeat header on printing, e.g. [1,1]
to repeat just first rowws['!freeze']
: string cell reference for breakpoint, e.g. the following will freeze the first row and first column:
{
xSplit: "1",
ySplit: "1",
topLeftCell: "B2",
activePane: "bottomRight",
state: "frozen"
}workbook.SheetNames
is an ordered list of the sheets in the workbook
wb.Sheets[sheetname]
returns an object representing the worksheet.
wb.Props
is an object storing the standard properties. The following properties are currently used when
generating an XLSX file, but not yet parsed:
- title
- subject
- description
- keywords
- creator
wb.Custprops
stores custom properties. Since the XLS standard properties deviate from the XLSX
standard, XLS parsing stores core properties in both places. .
The exported read
and readFile
functions accept an options argument:
Option Name | Default | Description |
---|---|---|
cellFormula | true | Save formulae to the .f field ** |
cellHTML | true | Parse rich text and save HTML to the .h field |
cellNF | false | Save number format string to the .z field |
cellStyles | false | Save style/theme info to the .s field |
cellDates | false | Store dates as type d (default is n ) ** |
sheetStubs | false | Create cell objects for stub cells |
sheetRows | 0 | If >0, read the first sheetRows rows ** |
bookDeps | false | If true, parse calculation chains |
bookFiles | false | If true, add raw files to book object ** |
bookProps | false | If true, only parse enough to get book metadata ** |
bookSheets | false | If true, only parse enough to get the sheet names |
bookVBA | false | If true, expose vbaProject.bin to vbaraw field ** |
password | "" | If defined and file is encrypted, use password ** |
cellFormula
option only applies to formats that require extra processing to
parse formulae (XLS/XLSB).cellNF
is false, formatted text will be generated and saved to .w
bookSheets
is false.bookSheets
and bookProps
combine to give both sets of informationDeps
will be an empty object if bookDeps
is falsybookFiles
behavior depends on file type:
keys
array (paths in the ZIP) for ZIP-based formatsfiles
hash (mapping paths to objects representing the files) for ZIPcfb
object for formats using CFB containerssheetRows-1
rows will be generated when looking at the JSON object output
(since the header row is counted as a row when parsing the data)bookVBA
merely exposes the raw vba object. It does not parse the data.cellDates
currently does not convert numerical dates to JS dates.The defaults are enumerated in bits/84_defaults.js
The exported write
and writeFile
functions accept an options argument:
Option Name | Default | Description |
---|---|---|
cellDates | false | Store dates as type d (default is n ) |
bookSST | false | Generate Shared String Table ** |
bookType | 'xlsx' | Type of Workbook ("xlsx" or "xlsm" or "xlsb") |
showGridLines | true | Show gridlines on all pages |
tabSelected | '1' | Initial tab selected |
Props | null | Workbook properties |
bookSST
is slower and more memory intensive, but has better compatibility
with older versions of iOS NumbersbookType = 'xlsb'
is stubbed and far from completecellDates
only applies to XLSX output and is not guaranteed to work with
third-party readers. Excel itself does not usually write cells with type d
so non-Excel tools may ignore the data or blow up in the presence of dates.Cell styles are specified by a style object that roughly parallels the OpenXML structure. The style object has five
top-level attributes: fill
, font
, numFmt
, alignment
, and border
.
Style Attribute | Sub Attributes | Values |
---|---|---|
fill | patternType | "solid" or "none" |
fgColor | COLOR_SPEC | |
bgColor | COLOR_SPEC | |
font | name | "Calibri" // default |
sz | "11" // font size in points | |
color | COLOR_SPEC | |
bold | true or false | |
underline | true or false | |
italic | true or false | |
strike | true or false | |
outline | true or false | |
shadow | true or false | |
vertAlign | true or false | |
numFmt | "0" // integer index to built in formats, see StyleBuilder.SSF property | |
"0.00%" // string matching a built-in format, see StyleBuilder.SSF | ||
"0.0%" // string specifying a custom format | ||
"0.00%;\\(0.00%\\);\\-;@" // string specifying a custom format, escaping special characters | ||
"m/dd/yy" // string a date format using Excel's format notation | ||
alignment | vertical | "bottom" or "center" or "top" |
horizontal | "bottom" or "center" or "top" | |
wrapText | true or false | |
readingOrder | 2 // for right-to-left | |
textRotation | Number from 0 to 180 or 255 (default is 0 ) | |
90 is rotated up 90 degrees | ||
45 is rotated up 45 degrees | ||
135 is rotated down 45 degrees | ||
180 is rotated down 180 degrees | ||
255 is special, aligned vertically | ||
border | top | { style: BORDER_STYLE, color: COLOR_SPEC } |
bottom | { style: BORDER_STYLE, color: COLOR_SPEC } | |
left | { style: BORDER_STYLE, color: COLOR_SPEC } | |
right | { style: BORDER_STYLE, color: COLOR_SPEC } | |
diagonal | { style: BORDER_STYLE, color: COLOR_SPEC } | |
diagonalUp | true or false | |
diagonalDown | true or false |
COLOR_SPEC: Colors for fill
, font
, and border
are specified as objects, either:
{ auto: 1}
specifying automatic values{ rgb: "FFFFAA00" }
specifying a hex ARGB value{ theme: "1", tint: "-0.25"}
specifying an integer index to a theme color and a tint value (default 0){ indexed: 64}
default value for fill.bgColor
BORDER_STYLE: Border style is a string value which may take on one of the following values:
thin
medium
thick
dotted
hair
dashed
mediumDashed
dashDot
mediumDashDot
dashDotDot
mediumDashDotDot
slantDashDot
Borders for merged areas are specified for each cell within the merged area. So to apply a box border to a merged area of 3x3 cells, border styles would need to be specified for eight different cells:
Tests utilize the mocha testing framework. Travis-CI and Sauce Labs links:
Test files are housed in another repo.
Running make init
will refresh the test_files
submodule and get the files.
make test
will run the node-based tests. To run the in-browser tests, clone
the oss.sheetjs.com repo and
replace the xlsx.js file (then fire up the browser and go to stress.html
):
$ cp xlsx.js ../SheetJS.github.io
$ cd ../SheetJS.github.io
$ simplehttpserver # or "python -mSimpleHTTPServer" or "serve"
$ open -a Chromium.app http://localhost:8000/stress.html
For a much smaller test, run make test_misc
.
Due to the precarious nature of the Open Specifications Promise, it is very important to ensure code is cleanroom. Consult CONTRIBUTING.md
The xlsx.js file is constructed from the files in the bits
subdirectory. The
build script (run make
) will concatenate the individual bits to produce the
script. Before submitting a contribution, ensure that running make will produce
the xlsx.js file exactly. The simplest way to test is to move the script:
$ mv xlsx.js xlsx.new.js
$ make
$ diff xlsx.js xlsx.new.js
To produce the dist files, run make dist
. The dist files are updated in each
version release and should not be committed between versions.
Please consult the attached LICENSE file for details. All rights not explicitly granted by the Apache 2.0 license are reserved by the Original Author.
It is the opinion of the Original Author that this code conforms to the terms of the Microsoft Open Specifications Promise, falling under the same terms as OpenOffice (which is governed by the Apache License v2). Given the vagaries of the promise, the Original Author makes no legal claim that in fact end users are protected from future actions. It is highly recommended that, for commercial uses, you consult a lawyer before proceeding.
ISO/IEC 29500:2012(E) "Information technology — Document description and processing languages — Office Open XML File Formats"
OSP-covered specifications:
Open Document Format for Office Applications Version 1.2 (29 September 2011)
FAQs
Excel (XLSB/XLSX/XLSM/XLS/XML) and ODS spreadsheet parser and writer (extended to enable read/write of cell formats with xlsx files)
The npm package jl-js-xlsx receives a total of 2 weekly downloads. As such, jl-js-xlsx popularity was classified as not popular.
We found that jl-js-xlsx demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.