Prevent CSV injection attacks

phlex-ruby · Feb 19, 2024 · ad3cd94 · ad3cd94
1 parent a527cf9
commit ad3cd94
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/lib/phlex/csv.rb b/lib/phlex/csv.rb
@@ -82,9 +82,13 @@ def render(renderable)
 	end
 
 	def escape(value)
-		value = value.to_s
+		value = value.to_s.dup
+		value.strip!
 
-		if value.include?('"') || value.include?(",") || value.include?("\n")
+		if value.start_with?("=") || value.start_with?("+") || value.start_with?("-") || value.start_with?("@")
+			# Prefix a tab to prevent Excel and Google Docs from interpreting the value as a formula
+			%("\t#{value.gsub('"', '""')}")
+		elsif value.include?('"') || value.include?(",") || value.include?("\n")
 			%("#{value.gsub('"', '""')}")
 		else
 			value