shahondin1624/Mitgliederverwaltung
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 16 Wiki Activity

fix: prevent CSV injection by escaping formula characters (Closes #174) #185

Merged
shahondin1624 merged 1 commits from feature/issue-174-csv-injection-prevention into main 2026-04-10 16:27:40 +02:00
Conversation 0 Commits 1 Files Changed 3
+52 -2
shahondin1624 commented 2026-04-10 16:27:35 +02:00
Owner
Copy Link
Copy Source

Summary

  • Adds CsvExportService::sanitizeCsvField() that prefixes fields starting with =, +, -, @ with a single quote
  • Prevents DDE/macro injection when CSV files are opened in Excel
  • Applied in both CsvExportService and EntityExportService

Test plan

  • 7 new unit tests for sanitizeCsvField
  • All 1019 tests pass
  • Normal text, empty strings, and numbers are unaffected

Closes #174

## Summary - Adds `CsvExportService::sanitizeCsvField()` that prefixes fields starting with `=`, `+`, `-`, `@` with a single quote - Prevents DDE/macro injection when CSV files are opened in Excel - Applied in both `CsvExportService` and `EntityExportService` ## Test plan - [x] 7 new unit tests for sanitizeCsvField - [x] All 1019 tests pass - [x] Normal text, empty strings, and numbers are unaffected Closes #174
shahondin1624 added 1 commit 2026-04-10 16:27:35 +02:00
fix: prevent CSV injection by escaping formula characters in exports (Closes #174) e1f5a81cfc 
Adds CsvExportService::sanitizeCsvField() that prefixes fields starting
with =, +, -, @ with a single quote to prevent DDE/macro injection in
spreadsheet applications. Applied in both CsvExportService and
EntityExportService. Includes 7 unit tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
shahondin1624 merged commit 21b025af87 into main 2026-04-10 16:27:40 +02:00
shahondin1624 deleted branch feature/issue-174-csv-injection-prevention 2026-04-10 16:27:40 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
backend
Backend / PHP work
 bug
Bug report
 database
Database migrations and schema
 documentation
Documentation
 enhancement
Enhancement or improvement
 epic
Epic / feature-group issues
 frontend
Frontend / Vue.js work
 integration
Nextcloud integrations (Calendar, Contacts, Files)
 priority:high
High priority
 priority:low
Low priority
 priority:medium
Medium priority
 security
Security-related work
 testing
Tests and test infrastructure
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
shahondin1624
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#185
Delete Branch "feature/issue-174-csv-injection-prevention"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?