Skip to content

Add line feed (0x0A) to CSV injection character escape list #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 1, 2025
Merged

Add line feed (0x0A) to CSV injection character escape list #1116

merged 1 commit into from
Aug 1, 2025

Conversation

@hviradiya-anaqua
Copy link
Contributor

Description

Fixes #1115

Added Line feed (0x0A) to the list of characters that should be escaped to prevent CSV injection attacks.

Problem

The CSV Injection documentation page was missing the line feed character (\n, ASCII 0x0A) from the list of characters to escape. The original list only included carriage return (0x0D).

Solution

Added "Line feed (0x0A)" to the bullet list in the remediation section.

Why This Change Is Important

  • Most Unix-based systems use \n as the default newline character
  • Spreadsheets treat \n and \r similarly for row breaking
  • User input containing \n can break CSV structure just like \r
  • This provides more complete, platform-agnostic guidance for developers

Testing

  • Verified the change renders correctly in markdown
  • Confirmed the addition maintains the existing formatting and structure
  • Ensured no breaking changes to existing content

@hviradiya-anaqua
Add line feed (0x0A) to CSV injection character escape list
0f49fdc 
- Added Line feed (0x0A) to the list of characters to escape for CSV injection prevention
- This ensures more complete and platform-agnostic guidance for developers
- Addresses the gap where Unix-based systems using \n as default newline character were not explicitly covered
- Fixes issue OWASP#1115
@hviradiya-anaqua hviradiya-anaqua force-pushed the fix-csv-injection-missing-line-feed branch from 3aad8e2 to 0f49fdc Compare August 1, 2025 12:54
@kingthorin kingthorin merged commit 0e5e8f0 into OWASP:master Aug 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kingthorin kingthorin kingthorin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CSV Injection Page: Missing \n (line feed) in list of characters to escape

2 participants

@hviradiya-anaqua @kingthorin