diff options
| author | johnnyshields <[email protected]> | 2023-04-02 03:11:34 +0900 |
|---|---|---|
| committer | johnnyshields <[email protected]> | 2023-04-02 03:11:34 +0900 |
| commit | 98a26ea04e886ce6f712e4e97e6b9d09b4691bb6 (patch) | |
| tree | d76b9198f66993ac70faf4a8a9afa83fc492fb94 /lib | |
| parent | aad14cd003e08fae6fdb29ab675b975c9619b8c3 (diff) | |
| download | caxlsx-98a26ea04e886ce6f712e4e97e6b9d09b4691bb6.tar.gz caxlsx-98a26ea04e886ce6f712e4e97e6b9d09b4691bb6.zip | |
`escape_formulas` should handle all [OWASP-designated formula prefixes](https://owasp.org/www-community/attacks/CSV_Injection).
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/axlsx/workbook/worksheet/cell.rb | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/axlsx/workbook/worksheet/cell.rb b/lib/axlsx/workbook/worksheet/cell.rb index 8e55d0c5..f0345705 100644 --- a/lib/axlsx/workbook/worksheet/cell.rb +++ b/lib/axlsx/workbook/worksheet/cell.rb @@ -72,6 +72,10 @@ module Axlsx CELL_TYPES = [:date, :time, :float, :integer, :richtext, :string, :boolean, :iso_8601, :text].freeze + # Leading characters that indicate a formula. + # See: https://owasp.org/www-community/attacks/CSV_Injection + FORMULA_PREFIXES = ['-', '=', '+', '@', '%', '|', "\r", "\t"].freeze + # The index of the cellXfs item to be applied to this cell. # @return [Integer] # @see Axlsx::Styles @@ -170,7 +174,7 @@ module Axlsx !is_text_run? && # No inline styles [email protected]? && # Not nil [email protected]? && # Not empty - [email protected]_with?(?=) # Not a formula + [email protected]_with?(*FORMULA_PREFIXES) # Not a formula end # The inline font_name property for the cell @@ -368,7 +372,7 @@ module Axlsx def is_formula? return false if escape_formulas - type == :string && @value.to_s.start_with?(?=) + type == :string && @value.to_s.start_with?(*FORMULA_PREFIXES) end def is_array_formula? |