Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggested CSV Injection mitigation does not survive saving and re-opening in Excel #517

Open
xxgreg opened this issue Nov 24, 2021 · 2 comments

Comments

@xxgreg
Copy link

xxgreg commented Nov 24, 2021

https://github.com/OWASP/www-community/blob/master/pages/attacks/CSV_Injection.md

Excel is commonly used to edit CSV files. Unfortunately when saving CSVs Excel strips out some of the characters which are inserted to prevent the CSV injection. This is unfortunate behaviour from Excel, and should really be fixed there, but I'd like to be able to prevent formulas from being inserted into CSVs and run on my user's computers.

For most outputs it's possible to completely disallow cells starting with "=", and "@", irrespective of quoting. But "-" is obviously required for numbers.

One suggestion for solving this is inserting an extra tab character, which prevents Excel from removing the quotes.

http://georgemauer.net/2017/10/07/csv-injection.html

Reproduction:

Consider the following CSV:

a,b
,"'=1+2"

Open the CSV, focus on the cell with the formula, and then move the focus away. Save the CSV, it is saved as:

a,b
,=1+2

Open the CSV again, the formula is executed and "3" is shown in the cell.

@pepe-invest-git

This comment has been minimized.

@kingthorin
Copy link
Contributor

@pepe-invest-git please stop making random useless posts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants