Contrib.social

Modify formula injection warning when drupal/webform_xlsx_export is installed

Open on Drupal.org →
Created on 11 April 2024, 3 months ago
Updated 7 May 2024, about 2 months ago

Problem/Motivation

When a user with access to download submissions chooses the "“Delimited text” or “HTML Table” export format, they see a warning message like this:

Warning: Opening Delimited text files with spreadsheet applications may expose you to formula injection or other security vulnerabilities. When the submissions contain data from untrusted users and the downloaded file will be used with Microsoft Excel, use the Webform XLSX export module.

It's awesome to have this information right in the GUI if you have the access to install modules. However, the warning reads the same whether or not Webform XLSX export is installed, and it feels like it's not obvious for a user who just wants to download submissions how to modify their selections to avoid the danger.

Steps to reproduce

  1. Add and install Webform XLSX export module .
  2. Visit an existing webform download page, /admin/structure/webform/manage/[some_form_machine_name]/results/download.
  3. For the "Export format" select, choose "Delimited text".

Proposed resolution

When the Webform XLSX export module is installed, modify the warning to urge the user to choose the XLSX export format for their Excel files.

Remaining tasks

Add the tweaked warning message for:

  • Delimited text
  • HTML Table

User interface changes

A modest verbiage change.

Before

When downloading results, this warning message appears whether or not Webform XLSX export is installed.

After

Update to the message with this change applied and Webform XLSX export module installed.
If Webform XLSX export module is not installed, the warning displayed will be the same as "Before".

Here's where the user would choose the XLSX export format that module provides.

API changes

None.

Data model changes

None.

Feature request
Status

Fixed

Version

6.2

Component

User interface

Created by

🇺🇸United States jenna.tollerson Atlanta, Georgia, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024