CSV Injection vulnerability

[thel0ner]

I'm submitting a ... (check one with "x")

[x ] bug report => CSV Injection vulnerability 
[ ] feature request
[ ] support request => Please do not submit support request here, instead see https://github.com/ceolter/ag-grid-enterprise/blob/master/CONTRIBUTING.md#question

Current behavior

exportDataAsCsv method does not sanitize data for Formula injection. Expected behavior

It's safe to expect the grid to control data before exporting a CSV file, therefore user won't be faced with malicious codes in exported CSV file by the grid. Minimal reproduction of the problem with instructions Sample payload to test: @SUM(1+9)*cmd|' /C calc'!A0 resource on OWASP

Sample code to solve it: export const csvXlsxFormulaInjectionSanitizer = (str: string): string => { if (str !== null && str.match(/^[=@+-]/)) { return"'${str.replace(/"/g, '""')}"; } return str; }

What is the motivation / use case for changing the behavior?

Safety. Please tell us about your environment: HTTP Server: IIS / Apache / Nginx

Angular version 13.x

• ag-Grid-Enterprise version: 25.3.0

• Browser: [all | Chrome XX | Firefox XX | IE XX | Safari XX | Mobile Chrome XX | Android X.X Web Browser | iOS XX Safari | iOS XX UIWebView | iOS XX WKWebView ]

• Language: [TypeScript 4.1.5 |]