html2csv icon indicating copy to clipboard operation
html2csv copied to clipboard
verified publisher icon hanwentao

CVE-2021-23654 Improper Input Validation

Open RichieB2B opened this issue 3 years ago • 1 comments

Interestingly enough someone found a security issue in this code but failed to post a pull-request or even report it:

https://security.snyk.io/vuln/SNYK-PYTHON-HTMLTOCSV-1582784

RichieB2B avatar Mar 01 '22 10:03 RichieB2B

CVE-2021-23654 was probably the result of automated static analysis. It is called CSV injection and happens when you open a file that includes formulas (e.g. ='file:///etc/passwd'#$passwd.A1) in a spreadsheet program such as LibreOffice or Excel.

As far as I'm concerned, this library shouldn't be in the business of filtering input, but users should know that caution must be exercised when opening files from unknown sources (before or after conversion).

ghost avatar May 29 '22 03:05 ghost