Set escape_formulas as "true" as a global default.

5 files changed, 10 insertions, 13 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 67ca1cfe..d09e3196 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ CHANGELOG
   - Fix `Workbook#sheet_by_name` not returning sheets with encoded characters in the name
   - Raise exception if `axlsx_styler` gem is present as its code was merged directly into `caxlsx` in v3.3.0
   - Add 'SortState' and 'SortCondition' classes to the 'AutoFilter' class to add sorting to the generated file.
+  - [PR #189](https://github.com/caxlsx/caxlsx/pull/189) - Make `Axlsx::escape_formulas` true by default to mitigate [Formula Injection](https://www.owasp.org/index.php/CSV_Injection) vulnerabilities.
 
 - **April.23.23**: 3.4.1
   - [PR #209](https://github.com/caxlsx/caxlsx/pull/209) - Revert characters other than `=` being considered as formulas.
diff --git a/README.md b/README.md
index a77a99a9..93bfa07f 100644
--- a/README.md
+++ b/README.md
@@ -124,24 +124,20 @@ Currently the following additional gems are available:
 
 ## Security
 
-To prevent [Formula Injection](https://www.owasp.org/index.php/CSV_Injection) vulnerabilities, set the following in an initializer:
+To prevent [Formula Injection](https://www.owasp.org/index.php/CSV_Injection) vulnerabilities, as of version 4.0, axlsx escapes all formulas by default. To permit formulas on a specific cell, please use:
 
 ```ruby
-Axlsx.escape_formulas = true
+cell.escape_formulas = false
 ```
 
-Then, set the following on each cell you'd like to add a formula:
+You may set `escape_formulas` on the workbook, worksheet, row and/or cell level. Refer to examples/escape_formula.md for details.
+
+To allow formulas globally by default (which was the behavior in axlsx 3.x and prior), you may set the following in an initializer:
 
 ```ruby
-cell.escape_formulas = false
+Axlsx.escape_formulas = false
 ```
 
-Refer to examples/escape_formula.md for how to set `escape_formulas` on the workbook, worksheet, row and/or cell level.
-
-**Important:** The global setting `Axlsx.escape_formulas = true` will become the default in the next major release (Axlsx 4.0).
-If you do not wish to set `Axlsx.escape_formulas = true` now, at a minimum, please set `Axlsx.escape_formulas = false` to
-ensure continuity when upgrading.
-
 ## Known Software Interoperability Issues
 
 As axslx implements the Office Open XML (ECMA-376 spec) much of the
diff --git a/lib/axlsx.rb b/lib/axlsx.rb
index 71c0ca1c..1f43103e 100644
--- a/lib/axlsx.rb
+++ b/lib/axlsx.rb
@@ -220,7 +220,7 @@ module Axlsx
   # See https://www.owasp.org/index.php/CSV_Injection for details.
   # @return [Boolean]
   def self.escape_formulas
-    !defined?(@escape_formulas) || @escape_formulas.nil? ? false : @escape_formulas
+    !defined?(@escape_formulas) || @escape_formulas.nil? ? true : @escape_formulas
   end
 
   # Sets whether to treat values starting with an equals sign as formulas or as literal strings.
diff --git a/test/tc_axlsx.rb b/test/tc_axlsx.rb
index 66b12ff9..25b21777 100644
--- a/test/tc_axlsx.rb
+++ b/test/tc_axlsx.rb
@@ -165,7 +165,7 @@ class TestAxlsx < Test::Unit::TestCase
   def test_escape_formulas
     Axlsx.instance_variable_set(:@escape_formulas, nil)
 
-    refute Axlsx.escape_formulas
+    assert Axlsx.escape_formulas
 
     Axlsx.escape_formulas = true
 
diff --git a/test/workbook/worksheet/tc_cell.rb b/test/workbook/worksheet/tc_cell.rb
index a8ab6ca1..73b68fa6 100644
--- a/test/workbook/worksheet/tc_cell.rb
+++ b/test/workbook/worksheet/tc_cell.rb
@@ -411,7 +411,7 @@ class TestCell < Test::Unit::TestCase
 
   def test_to_xml_string_formula
     p = Axlsx::Package.new
-    ws = p.workbook.add_worksheet do |sheet|
+    ws = p.workbook.add_worksheet(escape_formulas: false) do |sheet|
       sheet.add_row ["=IF(2+2=4,4,5)"]
     end
     doc = Nokogiri::XML(ws.to_xml_string)