Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: sanitize user data while generating csv to avoid formula injection
Signed-off-by: Pranav C <pranavxc@gmail.com>
  • Loading branch information
pranavxc committed Dec 20, 2021
1 parent f46e89b commit 079e3ab
Showing 1 changed file with 15 additions and 10 deletions.
25 changes: 15 additions & 10 deletions packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts
Expand Up @@ -2556,16 +2556,21 @@ class BaseModelSql extends BaseModel {
}
}

const data = Papaparse.unparse({
fields:
fields &&
fields.filter(
f =>
this.columns.some(c => c._cn === f) ||
this.virtualColumns.some(c => c._cn === f)
),
data: csvRows
});
const data = Papaparse.unparse(
{
fields:
fields &&
fields.filter(
f =>
this.columns.some(c => c._cn === f) ||
this.virtualColumns.some(c => c._cn === f)
),
data: csvRows
},
{
escapeFormulae: true
}
);
return { data, offset, elapsed };
}

Expand Down

0 comments on commit 079e3ab

Please sign in to comment.