You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Excel is commonly used to edit CSV files. Unfortunately when saving CSVs Excel strips out some of the characters which are inserted to prevent the CSV injection. This is unfortunate behaviour from Excel, and should really be fixed there, but I'd like to be able to prevent formulas from being inserted into CSVs and run on my user's computers.
For most outputs it's possible to completely disallow cells starting with "=", and "@", irrespective of quoting. But "-" is obviously required for numbers.
One suggestion for solving this is inserting an extra tab character, which prevents Excel from removing the quotes.
https://github.com/OWASP/www-community/blob/master/pages/attacks/CSV_Injection.md
Excel is commonly used to edit CSV files. Unfortunately when saving CSVs Excel strips out some of the characters which are inserted to prevent the CSV injection. This is unfortunate behaviour from Excel, and should really be fixed there, but I'd like to be able to prevent formulas from being inserted into CSVs and run on my user's computers.
For most outputs it's possible to completely disallow cells starting with "=", and "@", irrespective of quoting. But "-" is obviously required for numbers.
One suggestion for solving this is inserting an extra tab character, which prevents Excel from removing the quotes.
http://georgemauer.net/2017/10/07/csv-injection.html
Reproduction:
Consider the following CSV:
Open the CSV, focus on the cell with the formula, and then move the focus away. Save the CSV, it is saved as:
Open the CSV again, the formula is executed and "3" is shown in the cell.
The text was updated successfully, but these errors were encountered: