www-community
www-community copied to clipboard
OWASP
Suggested CSV Injection mitigation does not survive saving and re-opening in Excel
https://github.com/OWASP/www-community/blob/master/pages/attacks/CSV_Injection.md
Excel is commonly used to edit CSV files. Unfortunately when saving CSVs Excel strips out some of the characters which are inserted to prevent the CSV injection. This is unfortunate behaviour from Excel, and should really be fixed there, but I'd like to be able to prevent formulas from being inserted into CSVs and run on my user's computers.
For most outputs it's possible to completely disallow cells starting with "=", and "@", irrespective of quoting. But "-" is obviously required for numbers.
One suggestion for solving this is inserting an extra tab character, which prevents Excel from removing the quotes.
http://georgemauer.net/2017/10/07/csv-injection.html
Reproduction:
Consider the following CSV:
a,b
,"'=1+2"
Open the CSV, focus on the cell with the formula, and then move the focus away. Save the CSV, it is saved as:
a,b
,=1+2
Open the CSV again, the formula is executed and "3" is shown in the cell.
layout: col-sidebar title: "My Page" author: "My Name" contributors: ["Additional Contributor Names", "If Any"] permalink: /MyPageTitle tags: ["attack", "XSS"]
{% include writers.html %}
Write your content here!
