Advisory: Excel converts CSV entries to formulas

Updated . Posted . Visible to the public. Repeats.

If your application exports CSV, be advised that Excel and other spreadsheet applications treat certain cells (those starting with =, +, - or @) as formulas.

This is an issue if you output user input. Not only is it probably not what you want, it also poses a security risk. See the link for attack vectors.

Note that current Excel versions will warn the user when opening the file. At least for the code execution vulnerability, these three warnings seems adequate to me.

Code execution warnings:

Image

Image

Image

External links:

Image

Solution

If possible, always try to avoid CSV and output XLS(X) files directly as this does not suffer from this issue and has other advantages as well.

Tobias Kraze
Last edit
Dominic Beger
License
Source code in this card is licensed under the MIT License.
Posted by Tobias Kraze to makandra dev (2017-10-10 11:54)