Module: Spree::CSV::FormulaSanitizer
- Defined in:
- app/presenters/spree/csv/formula_sanitizer.rb
Overview
Neutralizes CSV formula injection (CWE-1236 / OWASP “CSV Injection”) by prefixing cells that would otherwise be evaluated as a formula when the exported file is opened in Excel, Google Sheets, LibreOffice, or Numbers.
The leading apostrophe is the OWASP-recommended marker — spreadsheets render the cell as plain text without displaying the apostrophe.
Constant Summary collapse
- TRIGGERS =
["=", "+", "-", "@", "\t", "\r", "\n"].freeze
Class Method Summary collapse
Class Method Details
.cell(value) ⇒ Object
15 16 17 18 19 20 21 |
# File 'app/presenters/spree/csv/formula_sanitizer.rb', line 15 def cell(value) return value unless value.is_a?(String) return value if value.empty? return value unless TRIGGERS.include?(value[0]) "'#{value}" end |
.row(values) ⇒ Object
23 24 25 |
# File 'app/presenters/spree/csv/formula_sanitizer.rb', line 23 def row(values) values.map { |v| cell(v) } end |