Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v5.0.be-5.3.11 / 1.2.9 - csv and formula injection wording #2811

Closed
elarlang opened this issue Mar 30, 2025 · 2 comments
Closed

v5.0.be-5.3.11 / 1.2.9 - csv and formula injection wording #2811

elarlang opened this issue Mar 30, 2025 · 2 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR V1 (prev V5) _5.0 - rc1

Comments

@elarlang
Copy link
Collaborator

elarlang commented Mar 30, 2025
edited
Loading

spin-off from #2554, initially developed in #1469

From

# Description Level #v5.0.be
1.2.9 [ADDED] Verify that the application is protected against CSV and Formula Injection. The application should follow the escaping rules defined in RFC4180 2.6 and 2.7 when exporting CSV files. The application should escape special characters including '=', '+', '-', '@' '\t' (tab) and '\00' (null character) using a single quote, if they are the first character in a field, when exporting CSV files and other spreadsheet formats such as xls, xlsx, odf. 3 v5.0.be-5.3.11

Proposed in #2810

# Description Level #v5.0.be
1.2.9 [ADDED] Verify that the application is protected against CSV and Formula Injection. The application must follow the escaping rules defined in RFC4180 2.6 and 2.7 when exporting CSV files. When exporting CSV files and other spreadsheet formats such as xls, xlsx, or odf, the application must also escape special characters including '=', '+', '-', '@' '\t' (tab) and '\00' (null character) using a single quote, if they are the first character in a field. 3 v5.0.be-5.3.11

I think here are overlap that can be avoided

The application must follow the escaping rules defined in RFC4180 2.6 and 2.7 when exporting CSV files.

vs

When exporting CSV files and other spreadsheet formats such as xls, xlsx, or odf, the application must also escape

edit: terminology question - it is not about exporting CSV files, it is building a CSV or spreadsheet content. What happens with the content, it is out of scope for this issue.

Attempt for proposal:

Verify that the application is protected against CSV and Formula Injection. The application must follow the escaping rules defined in RFC4180 2.6 and 2.7 when exporting CSV content. Additionally, in case exporting for other spreadsheet formats (such as xls, xlsx, or odf), special characters must be escaped (including '=', '+', '-', '@' '\t' (tab) and '\00' (null character)) using a single quote, if they are the first character in a field value.
This was referenced Mar 30, 2025
Merged
Closed
@tghosth
Copy link
Collaborator

tghosth commented Mar 30, 2025

Suggest:

"Verify that the application is protected against CSV and Formula Injection. The application must follow the escaping rules defined in RFC4180 2.6 and 2.7 when exporting CSV content. Additionally, when exporting to CSV or other spreadsheet formats (such as xls, xlsx, or odf), special characters (including '=', '+', '-', '@' '\t' (tab) and '\00' (null character)) must be escaped using a single quote, if they are the first character in a field value."

The special character escaping also needs to happen for CSV

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V1 (prev V5) _5.0 - rc1 labels Mar 30, 2025
@elarlang elarlang added the 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR label Mar 30, 2025
@elarlang
Copy link
Collaborator Author

ack, update the PR

@elarlang elarlang mentioned this issue Mar 30, 2025
Closed
elarlang added a commit that referenced this issue Mar 30, 2025
@elarlang
update based on #2811 (comment)
f27a074
elarlang added a commit that referenced this issue Mar 30, 2025
@elarlang
update based on #2811 (comment)
0491a79
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR V1 (prev V5) _5.0 - rc1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tghosth @elarlang