fix: added sanitizer for CSV

phpmyfaq/admin/report.export.php

@@ -116,7 +116,8 @@
 
     $content = '';
     foreach ($text as $row) {
-        $content .= implode(';', $row);
+        $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row);
+        $content .= implode(';', $csvRow);
         $content .= "\r\n";
     }
 

phpmyfaq/src/phpMyFAQ/Report.php

@@ -28,7 +28,7 @@ class Report
     /**
      * @var Configuration
      */
-    private $config;
+    private Configuration $config;
 
     /**
      * Constructor.
@@ -147,4 +147,18 @@ public function convertEncoding(string $outputString = ''): string
         $toBeRemoved = ['=', '+', '-', 'HYPERLINK'];
         return str_replace($toBeRemoved, '', $outputString);
     }
+
+    /**
+     * Sanitizes input to avoid CSV injection.
+     * @param string|int $value
+     * @return string
+     */
+    public static function sanitize($value): string
+    {
+        if (preg_match('/[=\+\-\@\|]/', $value)) {
+            $value = '"' . str_replace('"', '""', $value) . '"';
+        }
+
+        return $value;
+    }
 }

tests/phpMyFAQ/ReportTest.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace phpMyFAQ;
+
+use PHPUnit\Framework\TestCase;
+
+class ReportTest extends TestCase
+{
+
+    public function testSanitize(): void
+    {
+        $data = [
+            ['John Doe', 'john.doe@example.com', '12345'],
+            ['Jane Smith', 'jane.smith@example.com', '=SUM(A1:A10)'],
+        ];
+
+        $actual = [];
+
+        $expected = [
+            'John Doe,"john.doe@example.com",12345',
+            'Jane Smith,"jane.smith@example.com","=SUM(A1:A10)"'
+        ];
+
+        foreach ($data as $row) {
+            $csvRow = array_map(['phpMyFAQ\Report', 'sanitize'], $row);
+            $actual[] = implode(',', $csvRow);
+        }
+
+        $this->assertEquals($expected, $actual);
+    }
+}