Option to block Formula Injection

randym / axlsx

xlsx generation with charts, images, automated column width, customizable styles and full schema validation. Axlsx excels at helping you generate beautiful Office Open XML Spreadsheet documents without having to understand the entire ECMA specification. Check out the README for some examples of how easy it is. Best of all, you can validate your xlsx file before serialization so you know for sure that anything generated is going to load on your client's machine.

MIT License

2.62k stars 695 forks source link

Option to block Formula Injection #624

Open JohnLegrand opened 5 years ago

JohnLegrand commented 5 years ago

It would be nice to be able to pass an option to block formula injection. We use this Gem to let clients export tables to excel sheets. This is an unsafe practice because a formula could be injected. There should be an ability to block these injections to OWASP standards. (prepending "'" to anything that starts with something possibly malicious. https://www.owasp.org/index.php/CSV_Injection

morcoteg commented 5 years ago

Considering opening up a PR for this, since I'm currently monkey patching it in my work's project for this security vulnerability. Just don't know if this gem is still maintained, because of the low activity on the 34 open PR's. @JohnLegrand @randym is this gem still being maintained? I would like to add John's suggested change above.

noniq commented 4 years ago

This has been addressed in https://github.com/caxlsx/caxlsx/commit/0a223011a