"[Content_Types].xml" exported from js-xlsx contains "macroEnabled" ContentType
#1501
Comments
|
So we can reproduce, what anti-virus scanners are tripping based on this? |
|
At least our inhouse firewall. |
|
Some scanners will look for .bin files as evidence of macros, but slightly more sophisticated scanners will look through |
|
|
|
Yes, I am aware of the XLSB format (and we don't flag them), but this issue relates to XLSX files. |
|
|
|
i have the same problem , i am getting this message in my firewall : File Contains VBA Macro blocked , Gateway Anti-virus Alert |
|
@TommyAlfaro is it blocking files with VBA macros (XLSM with bookVBA: true) or is it blocking the XLSX files too? Can you see if the XLSX export from https://sheetjs.com/demo/table is blocked? While we're at it, is the XLSB blocked as well? |
|
Maybe I should explain more, i am making a docker image which contains an
angular project with your library, the firewall blocked the container
image.
I probed with the Excel file generated on https://sheetjs.com/demo/table
and wasn't blocked
El jue., 8 oct. 2020 a las 21:42, SheetJSDev (<notifications@github.com>)
escribió:
… @TommyAlfaro <https://github.com/TommyAlfaro> is it blocking files with
VBA macros (XLSM with bookVBA: true) or is it blocking the XLSX files too?
Can you see if the XLSX export from https://sheetjs.com/demo/table is
blocked? While we're at it, is the XLSB blocked as well?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1501 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AH3QBTAQMMXIYVRGGFZDX7TSJ2BCJANCNFSM4HMIKDYA>
.
|
|
Let me ask differently: does the module itself (the thing you get when you run |
|
I just checked, if i remove xlsx i don't have problem sending the docker image, Tomorrow i'm gonna ask to firewall owner the log and i'll send you. |
|
Since the library is capable of reading and writing XLSM files with macros, certain tell-tale strings are in the source. https://github.com/SheetJS/sheetjs/blob/master/bits/30_ctype.js#L153 for example we need to set a content type to a string with an offensive word like If you can confirm that the source is causing the issue, we might be able to design a workaround by programmatically generating the word in a way that won't easily be optimized into the offending word. I'd be curious to know more about why it's being flagged |
|
@TommyAlfaro please follow up and let us know what may be causing issues. @jorangreef if you have control over the scanner, it should check for the existence of an xl/vbaProject.bin or similar in the file. If you would like to send a PR to suppress the |
I noticed that when creating an XLSX using
js-xlsx, the resulting[Content_Types].xmllisting includes an unnecessarymacroEnabledContentType, even though the generated XLSX has no macros:This ContentType for the corresponding "bin" extension should only be included if the exported XLSX does in fact have macros.
Otherwise, anti-virus scanners which inspect XLSX ZIPs and scan
[Content_Types].xmlwill reject the file thinking it has macros.The text was updated successfully, but these errors were encountered: