`escape_formulas` should handle all [OWASP-designated formula prefixes](https://owasp.org/www-community/attacks/CSV_Injection).

1 files changed, 32 insertions, 1 deletions

diff --git a/test/workbook/worksheet/tc_cell.rb b/test/workbook/worksheet/tc_cell.rb
index bdbfd59d..b8e16404 100644
--- a/test/workbook/worksheet/tc_cell.rb
+++ b/test/workbook/worksheet/tc_cell.rb
@@ -382,6 +382,37 @@ class TestCell < Test::Unit::TestCase
     assert(doc.xpath("//t[text()='=IF(2+2=4,4,5)']").any?)
   end
 
+  def test_to_xml_string_numeric_escaped
+    p = Axlsx::Package.new
+    ws = p.workbook.add_worksheet do |sheet|
+      sheet.add_row ["-1", "+2"], escape_formulas: true, types: :text
+    end
+    doc = Nokogiri::XML(ws.to_xml_string)
+    doc.remove_namespaces!
+    assert(doc.xpath("//t[text()='-1']").any?)
+    assert(doc.xpath("//t[text()='+2']").any?)
+  end
+
+  def test_to_xml_string_other_owasp_escaped
+    p = Axlsx::Package.new
+    ws = p.workbook.add_worksheet do |sheet|
+      sheet.add_row [
+        "@1",
+        "%2",
+        "|3",
+        "\rfoo",
+        "\tbar"
+      ], escape_formulas: true
+    end
+    doc = Nokogiri::XML(ws.to_xml_string)
+    doc.remove_namespaces!
+    assert(doc.xpath("//t[text()='@1']").any?)
+    assert(doc.xpath("//t[text()='%2']").any?)
+    assert(doc.xpath("//t[text()='|3']").any?)
+    assert(doc.xpath("//t[text()='\nfoo']").any?)
+    assert(doc.xpath("//t[text()='\tbar']").any?)
+  end
+
   def test_to_xml_string_formula_escape_array_parameter
     p = Axlsx::Package.new
     ws = p.workbook.add_worksheet do |sheet|
@@ -414,7 +445,7 @@ class TestCell < Test::Unit::TestCase
   def test_to_xml_string_text_formula
     p = Axlsx::Package.new
     ws = p.workbook.add_worksheet do |sheet|
-      sheet.add_row ["=1+1", "-1+1"], type: :text
+      sheet.add_row ["=1+1", "-1+1"], types: :text
     end
     doc = Nokogiri::XML(ws.to_xml_string)
     doc.remove_namespaces!