Skip to content
Permalink
Browse files Browse the repository at this point in the history
Escape strings to prevent CSV injection
Prefixing the string with a tab when it starts with =, -, + or @.

Thanks to Devendra Bhatla for reporting the issue.

Fixes #29130, CVE-2021-43257
  • Loading branch information
dregad committed Apr 13, 2022
1 parent f983c35 commit 7f4534c
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions core/csv_api.php
Expand Up @@ -116,6 +116,13 @@ function csv_get_default_filename() {
* @access public
*/
function csv_escape_string( $p_string ) {
# Prevent CSV injection by escaping text that could be interpreted as a formula
if( $p_string && strpos( '=-+@', $p_string[0] ) !== false ) {
# Prefixing with a tab rather than single quote, as Excel does not show
# the tab visually in the cell.
$p_string = "\t" . $p_string;
}

$t_escaped = str_split( '"' . csv_get_separator() . csv_get_newline() );
$t_must_escape = false;
while( ( $t_char = current( $t_escaped ) ) !== false && !$t_must_escape ) {
Expand Down

0 comments on commit 7f4534c

Please sign in to comment.