- Issue created by @bkosborne
- πΊπΈUnited States bkosborne New Jersey, USA
There's lots of conflicting information on how to properly handle this. Here's some resources:
- OWASP's CSV Injection page
- The Absurdly Underestimated Dangers of CSV Injection
- Vulnerability report of old PHPMyAdmin version
They all suggest slightly different things.
I created an MR that detects if a string starts with certain problematic characters and if so, prefixes it with a single quote. I'm not 100% that's enough. John suggested doing it based on the presence of any non-alphabetical first character, but I think this is likely fine and is more inclusive of non-English speaking languages that are much more likely to begin with different types of characters.