Add option to protect against formula injection attacks (#34)

Caxlsx used to treat cell values beginning with an equal sign as formula by default.

This can be dangerous if the input data is user generated or coming from other untrusted sources (see https://www.owasp.org/index.php/CSV_Injection for details).

This commit adds a new option `escape_formulas` that can be used with `#add_row` and on instances of `Cell`. If set to true, cell values beginning with an equal sign are treated as normal strings (and will be displayed literally by Excel and co.)

1 files changed, 16 insertions, 1 deletions

diff --git a/examples/example.rb b/examples/example.rb
index 9266f830..8fcfe7d4 100755
--- a/examples/example.rb
+++ b/examples/example.rb
@@ -21,6 +21,7 @@ examples << :images
 examples << :format_dates
 examples << :mbcs
 examples << :formula
+examples << :escape_formulas
 examples << :auto_filter
 examples << :sheet_protection
 examples << :data_types
@@ -364,6 +365,21 @@ if examples.include? :formula
 end
 ##```
 
+##Escaping formulas for cells
+#```ruby
+if examples.include? :escape_formulas
+  wb.add_worksheet(:name => "Escaping Formulas") do |sheet|
+    sheet.add_row [1, 2, 3, "=SUM(A2:C2)"], escape_formulas: true
+    sheet.add_row [
+      "=IF(2+2=4,4,5)",
+      "=IF(13+13=4,4,5)",
+      "=IF(99+99=4,4,5)"
+    ], escape_formulas: [true, false, true]
+  end
+  p.serialize("escaped_formulas.xlsx")
+end
+##```
+
 ##Auto Filter
 
 #```ruby
@@ -882,4 +898,3 @@ if examples.include? :tab_color
   p.serialize 'tab_color.xlsx'
 end
 ##```
-