🔒 security(ui): tighten vulnerability CSV export escaping

- Always quote every CSV field instead of only when it contains commas/quotes/newlines
- Escape tab and carriage return as formula-injection leading characters in addition to =+-@
- Quote and escape column headers on the same code path as data cells

Author: s-b-e-n-s-o-n

ui/src/views/security/securityViewUtils.ts

@@ -151,15 +151,8 @@ export function buildSecurityEmptyState(input: SecurityViewEmptyStateInput): Sec
 export type VulnExportFormat = 'json' | 'csv';
 
 function escapeCsvField(value: string): string {
-  const sanitizedValue = /^[=+\-@]/.test(value) ? `'${value}` : value;
-  if (
-    sanitizedValue.includes(',') ||
-    sanitizedValue.includes('"') ||
-    sanitizedValue.includes('\n')
-  ) {
-    return `"${sanitizedValue.replace(/"/g, '""')}"`;
-  }
-  return sanitizedValue;
+  const sanitizedValue = /^[=+\-@\t\r]/.test(value) ? `'${value}` : value;
+  return `"${sanitizedValue.replace(/"/g, '""')}"`;
 }
 
 const VULN_CSV_COLUMNS = [
@@ -174,7 +167,7 @@ const VULN_CSV_COLUMNS = [
 ] as const;
 
 export function vulnReportToCsv(vulns: Vulnerability[]): string {
-  const rows = [VULN_CSV_COLUMNS.join(',')];
+  const rows = [VULN_CSV_COLUMNS.map(escapeCsvField).join(',')];
   for (const v of vulns) {
     rows.push(
       [

ui/tests/views/security/securityViewUtils.spec.ts

@@ -218,6 +218,7 @@ describe('securityViewUtils', () => {
       expect(toSafeExternalUrl('javascript:alert(1)')).toBeNull();
       expect(toSafeExternalUrl('ftp://example.com')).toBeNull();
       expect(toSafeExternalUrl('data:text/html,<h1>hi</h1>')).toBeNull();
+      expect(toSafeExternalUrl('file:///etc/passwd')).toBeNull();
     });
 
     it('returns null for invalid URLs', () => {
@@ -240,15 +241,17 @@ describe('securityViewUtils', () => {
     };
 
     it('returns only header row for empty array', () => {
-      expect(vulnReportToCsv([])).toBe('ID,Severity,Package,Version,Fixed In,Title,Target,URL');
+      expect(vulnReportToCsv([])).toBe(
+        '"ID","Severity","Package","Version","Fixed In","Title","Target","URL"',
+      );
     });
 
     it('formats a single vulnerability as CSV', () => {
       const csv = vulnReportToCsv([baseVuln]);
       const lines = csv.split('\n');
       expect(lines).toHaveLength(2);
       expect(lines[1]).toBe(
-        'CVE-2026-1234,HIGH,openssl,1.1.1,1.1.2,Buffer overflow,usr/lib/libssl.so,https://nvd.nist.gov/vuln/detail/CVE-2026-1234',
+        '"CVE-2026-1234","HIGH","openssl","1.1.1","1.1.2","Buffer overflow","usr/lib/libssl.so","https://nvd.nist.gov/vuln/detail/CVE-2026-1234"',
       );
     });
 
@@ -262,7 +265,7 @@ describe('securityViewUtils', () => {
       };
       const csv = vulnReportToCsv([vuln]);
       const lines = csv.split('\n');
-      expect(lines[1]).toBe('CVE-2026-1234,HIGH,openssl,1.1.1,,,,');
+      expect(lines[1]).toBe('"CVE-2026-1234","HIGH","openssl","1.1.1","","","",""');
     });
 
     it('escapes fields containing commas and quotes', () => {
@@ -290,7 +293,22 @@ describe('securityViewUtils', () => {
       const lines = csv.split('\n');
 
       expect(lines[1]).toBe(
-        "'=CVE-2026-1234,'+HIGH,'-openssl,'@1.1.1,1.1.2,Buffer overflow,usr/lib/libssl.so,https://nvd.nist.gov/vuln/detail/CVE-2026-1234",
+        `"'=CVE-2026-1234","'+HIGH","'-openssl","'@1.1.1","1.1.2","Buffer overflow","usr/lib/libssl.so","https://nvd.nist.gov/vuln/detail/CVE-2026-1234"`,
+      );
+    });
+
+    it('prefixes tab-leading fields and escapes embedded quotes', () => {
+      const vuln: Vulnerability = {
+        ...baseVuln,
+        id: '\t=cmd',
+        title: 'Buffer "overflow"',
+      };
+
+      const csv = vulnReportToCsv([vuln]);
+      const lines = csv.split('\n');
+
+      expect(lines[1]).toBe(
+        '"\'\t=cmd","HIGH","openssl","1.1.1","1.1.2","Buffer ""overflow""","usr/lib/libssl.so","https://nvd.nist.gov/vuln/detail/CVE-2026-1234"',
       );
     });
   });