Skip to content
Permalink
Browse files Browse the repository at this point in the history
Updated PapaParse config to prevent CSV injection.
I've updated the PapaParse JS library to the latest version from the master branch which supports the `escapeForumlae` option in order to prevent malicious event entries from being parsed and executed by the Gophish user's spreadsheet software.

When a new PapaParse release is created, I'll update this code to use the updated minified file.
  • Loading branch information
jordan-wright committed Jul 25, 2020
1 parent 4e9b94b commit b25f5ac
Show file tree
Hide file tree
Showing 4 changed files with 1,938 additions and 9 deletions.
2 changes: 1 addition & 1 deletion static/js/dist/app/campaign_results.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion static/js/dist/vendor.min.js

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion static/js/src/app/campaign_results.js
Expand Up @@ -216,7 +216,9 @@ function exportAsCSV(scope) {
return
}
$("#exportButton").html('<i class="fa fa-spinner fa-spin"></i>')
var csvString = Papa.unparse(csvScope, {})
var csvString = Papa.unparse(csvScope, {
'escapeFormulae': true
})
var csvData = new Blob([csvString], {
type: 'text/csv;charset=utf-8;'
});
Expand Down

1 comment on commit b25f5ac

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2020-24707 was assigned to this commit.

Please sign in to comment.