asked on November 8, 2018
Hello,
is there a way to avoid CSV formula injection when exporting XSLX ?
Usually, it should be enough using a single quote as prefix (') to avoid evil formulas to be executed, but I cannot find a way to do this through your APIs. Could you please advise ? thanks a lot
⋅ November 8, 2018
Hi Ivan!
Thank you for your question.
Yes, we will add this check in the next minor release 2.6.9 (ETA Dec, 03)
Regards,
Dmytro
⋅ December 4, 2018
Hello Ivan,
We are glad to inform you that we have already released an update which prevents an exported Excel formulas from executing.
You are welcome to update the component and try it.
Regards,
Dmyrto
⋅ January 15, 2019
Hi Dmytro,
sorry for the late reply. I see that if you export a "malicious" as Excel it works, but if you try to download a csv file and open it with Excel the problem still persists. Of course you have different warnings telling you that the source is not safe, but basically a formula like this one: =cmd|'/C notepad'!'A1'is not streamed with the ' prefix
We are currently using v2.6.9, has this been enhanced in next versions like 2.6.12 ?
Thanks a lot for your help
Have a nice day!
⋅ January 16, 2019
Hello Ivan,
Thank you for writing to us. There were no updates to CSV export regarding Excel formulas injections.
We will add the necessary improvement to CSV export functionality in the minor release ETA Feb 25.
Regards,
Dmytro
