form-to-google-sheets icon indicating copy to clipboard operation
form-to-google-sheets copied to clipboard

Published 20 hours ago verified publisher icon jamiewilson

Form vulnerable to malicious fomulae

Open Ollie-Boyd opened this issue 5 years ago • 2 comments

Hi Jamie, it's best to sanitise the data submitted to Google Sheets by removing any "=" characters. Right now anyone using your code is at risk of all their Sheet's data being exfiltrated from the sheet by a malicious =IMPORTDATA formula. Kind regards, Ollie

Ollie-Boyd avatar May 10 '19 14:05 Ollie-Boyd

@Ollie-Boyd Can you please help me with an instance of the same.

AdityaSher avatar Jun 25 '19 08:06 AdityaSher

Replace e.parameter[header] with e.parameter[header].replace(/=/g,'') or similar

tombrennan06 avatar Mar 02 '22 06:03 tombrennan06