From 1ee9c0b8d92af14929c62709f12d6ab5a6d5171c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=B9=9B=E9=9C=B2=E5=85=88=E7=94=9F?=
 <zhanluxianshen@163.com>
Date: Fri, 5 Sep 2025 09:58:03 +0800
Subject: [PATCH] fix xss in excel_parser (#9909)

### What problem does this PR solve?



### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
- [x] Refactoring
- [x] Performance Improvement

Signed-off-by: zhanluxianshen <zhanluxianshen@163.com>
---
 deepdoc/parser/excel_parser.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deepdoc/parser/excel_parser.py b/deepdoc/parser/excel_parser.py
index 91bcad7a7..29bf4e2e6 100644
--- a/deepdoc/parser/excel_parser.py
+++ b/deepdoc/parser/excel_parser.py
@@ -124,7 +124,7 @@ class RAGFlowExcelParser:
                         if c.value is None:
                             tb += "<td></td>"
                         else:
-                            tb += f"<td>{c.value}</td>"
+                            tb += f"<td>{escape(_fmt(c.value))}</td>"
                     tb += "</tr>"
                 tb += "</table>\n"
                 tb_chunks.append(tb)