Escape formulae on export

[matthewhegarty]

There is a potential security flaw where XLSX files can be exported with active formulae (see #257).

This PR adds an optional 'escape' kwarg to the export method which will strip leading '=' characters and disable formulae.

Tests included.

[codecov[bot]]

Codecov Report

Merging #540 (080b55a) into master (4363c43) will increase coverage by 0.12%. The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master     #540      +/-   ##
==========================================
+ Coverage   91.15%   91.28%   +0.12%     
==========================================
  Files          28       28              
  Lines        2680     2719      +39     
==========================================
+ Hits         2443     2482      +39     
  Misses        237      237              

Impacted Files	Coverage Δ
src/tablib/formats/_xlsx.py	97.02% <100.00%> (+0.06%)	:arrow_up:
tests/test_tablib.py	98.72% <100.00%> (+0.05%)	:arrow_up:

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

[claudep]

Thanks for the patch! Could you please also complete the docs in formats.rst?

[matthewhegarty]

Thanks for the patch! Could you please also complete the docs in formats.rst?

Done. To avoid duplication I added links to the source docstrings.

Also updated requirements.txt to the latest version of 'Sphinx'

[claudep]

@hugovk, I let you do the merge if you find it OK.

[hugovk]

Thanks!

[matthewhegarty]

Is there a timeline for releasing this? Sorry to ask but we have a downstream security issue relating to this. Any updates greatly appreciated.

[claudep]

I guess someone has to complete the HISTORY file, but then I think we could release soonish...

[hugovk]

@matthewhegarty If you can make a PR to update HISTORY.md, that would help us release much quicker :)

[matthewhegarty]

544 :+1:

[hugovk]

Thank you, now released in 3.4.0! 🚀

• https://pypi.org/project/tablib/3.4.0/