Friday, January 5, 2018

csv injection

If the csv file cell value uses formulas, it is often to see csv injection. For instance, if the cell value is  =cmd|' calc'!A0 which will launch calculator.

To prevent csv injection attack, you need either filtering or neutralizing the spreadsheet meta-characters used to define formulas. These 4 characters are +, -, =, and @

Filter is to remove the meta-characters if see excel cell value beginning with one of these 4 characters.

Neutralize is to precede cell values that begin with the characters: +, -, =, or @ with a single quote. This is called “escaping” or “neutralizing” the characters to have excel cell value interpreted as data instead of formulas.

1 comment:

  1. function escapeCSVData(s) {
    if (/^(@|=|\+|-)/.test(s)) {
    return "'" + s;
    return s;