is there a way to avoid CSV formula injection when exporting XSLX ?
Usually, it should be enough using a single quote as prefix (‘) to avoid evil formulas to be executed, but I cannot find a way to do this through your APIs. Could you please advise ? thanks a lot
Thank you for your question.
Yes, we will add this check in the next minor release 2.6.9 (ETA Dec, 03)
We are glad to inform you that we have already released an update which prevents an exported Excel formulas from executing.
You are welcome to update the component and try it.
sorry for the late reply. I see that if you export a “malicious” as Excel it works, but if you try to download a csv file and open it with Excel the problem still persists. Of course you have different warnings telling you that the source is not safe, but basically a formula like this one: =cmd|’/C notepad’!’A1’is not streamed with the ‘ prefix
We are currently using v2.6.9, has this been enhanced in next versions like 2.6.12 ?
Thanks a lot for your help
Have a nice day!
Thank you for writing to us. There were no updates to CSV export regarding Excel formulas injections.
We will add the necessary improvement to CSV export functionality in the minor release ETA Feb 25.