Open wyter opened 1 month ago
🤔 It looks like the '
prepended to negative values is not a bug, it is expected as part of the escaping process from @woocommerce/csv-export
to prevent a CSV injection exploit:
https://github.com/woocommerce/woocommerce/issues/25379
To remediate it, ensure that no cells begin with any of the following characters: Equals to (=) Plus (+) Minus (-) At (@) Tab (0x09) Carriage return (0x0D)
Forcing all values to a string before @woocommerce/csv-export generateCSVDataFromTable()
does not bypass this escaping process.
Note, this is only a problem for untrusted user input, which should not be a problem here since WooPayments is generating the values after fetching from the /transactions
REST endpoint.
I've confirmed this issue also exists in WC Analytics and negative values.
An example of a WC Analytics → Revenue exported CSV opened with Apple Numbers:
I've re-opened the upstream @woocommerce/csv-export
issue, so we can move the discussion there: https://github.com/woocommerce/woocommerce/issues/25379.
I'll mark this as blocked
until we can resolve upstream by potentially bypassing the escaping process if values are from a trusted source.
This is related to a prior WooPayments issue #7307, where tab chars were previously prepended rather than '
. A subsequent PR to @woocommerce/csv-export
changed the tab char to a '
char, as recommended by OWASP.
Description
We received this in one of our support requests:
Here's the "fine" screenshot from emailed reports, doesn't have
'-
symbols:Here's the "not fine" screenshot from automatically downloaded transaction reports, has
'-
symbols:Request: Since the emailed transaction CSV files do not have the symbols
'-
, could we consider removing these symbols in the automatically-downloaded transaction reports?Acceptance criteria
Removal of the symbols
'-
before transaction fees in automatically downloaded transaction CSV files.Designs
The fees column in the automatically-downloaded transaction reports should look like this:
Testing instructions
'-
. Ideally, these shouldn't show if this improvement is made.Additional context
Reported on 8635657-zen