From 377ad94928c3f76e36d0c2aef05fca5dd13e1aae Mon Sep 17 00:00:00 2001
From: johnnyshields <johnny.shields@gmail.com>
Date: Sat, 1 Apr 2023 17:06:08 +0900
Subject: Additional tests + CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

(limited to 'CHANGELOG.md')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39002c80..8537ea6e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 CHANGELOG
 ---------
 - **Unreleased**
+  - [PR #186](https://github.com/caxlsx/caxlsx/pull/186) - Add `escape_formulas` to global, workbook, worksheet, row and cell levels, and standardize behavior.
   - Fix bug when calling `worksheet.add_border("A1:B2", nil)`
   - Change `BorderCreator#initialize` arguments handling
   - Fix `add_border` to work with singluar cell refs
-- 
cgit v1.2.3


From 98a26ea04e886ce6f712e4e97e6b9d09b4691bb6 Mon Sep 17 00:00:00 2001
From: johnnyshields <johnny.shields@gmail.com>
Date: Sun, 2 Apr 2023 03:11:34 +0900
Subject: `escape_formulas` should handle all [OWASP-designated formula
 prefixes](https://owasp.org/www-community/attacks/CSV_Injection).

---
 CHANGELOG.md                         |  1 +
 lib/axlsx/workbook/worksheet/cell.rb |  8 ++++++--
 test/workbook/worksheet/tc_cell.rb   | 33 ++++++++++++++++++++++++++++++++-
 3 files changed, 39 insertions(+), 3 deletions(-)

(limited to 'CHANGELOG.md')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8537ea6e..1ebf252c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@ CHANGELOG
 ---------
 - **Unreleased**
   - [PR #186](https://github.com/caxlsx/caxlsx/pull/186) - Add `escape_formulas` to global, workbook, worksheet, row and cell levels, and standardize behavior.
+  - [PR #186](https://github.com/caxlsx/caxlsx/pull/186) - `escape_formulas` should handle all [OWASP-designated formula prefixes](https://owasp.org/www-community/attacks/CSV_Injection).
   - Fix bug when calling `worksheet.add_border("A1:B2", nil)`
   - Change `BorderCreator#initialize` arguments handling
   - Fix `add_border` to work with singluar cell refs
diff --git a/lib/axlsx/workbook/worksheet/cell.rb b/lib/axlsx/workbook/worksheet/cell.rb
index 8e55d0c5..f0345705 100644
--- a/lib/axlsx/workbook/worksheet/cell.rb
+++ b/lib/axlsx/workbook/worksheet/cell.rb
@@ -72,6 +72,10 @@ module Axlsx
     CELL_TYPES = [:date, :time, :float, :integer, :richtext,
                   :string, :boolean, :iso_8601, :text].freeze
 
+    # Leading characters that indicate a formula.
+    # See: https://owasp.org/www-community/attacks/CSV_Injection
+    FORMULA_PREFIXES = ['-', '=', '+', '@', '%', '|', "\r", "\t"].freeze
+
     # The index of the cellXfs item to be applied to this cell.
     # @return [Integer]
     # @see Axlsx::Styles
@@ -170,7 +174,7 @@ module Axlsx
         !is_text_run? &&          # No inline styles
         !@value.nil? &&           # Not nil
         !@value.empty? &&         # Not empty
-        !@value.start_with?(?=)  # Not a formula
+        !@value.start_with?(*FORMULA_PREFIXES) # Not a formula
     end
 
     # The inline font_name property for the cell
@@ -368,7 +372,7 @@ module Axlsx
     def is_formula?
       return false if escape_formulas
 
-      type == :string && @value.to_s.start_with?(?=)
+      type == :string && @value.to_s.start_with?(*FORMULA_PREFIXES)
     end
 
     def is_array_formula?
diff --git a/test/workbook/worksheet/tc_cell.rb b/test/workbook/worksheet/tc_cell.rb
index bdbfd59d..b8e16404 100644
--- a/test/workbook/worksheet/tc_cell.rb
+++ b/test/workbook/worksheet/tc_cell.rb
@@ -382,6 +382,37 @@ class TestCell < Test::Unit::TestCase
     assert(doc.xpath("//t[text()='=IF(2+2=4,4,5)']").any?)
   end
 
+  def test_to_xml_string_numeric_escaped
+    p = Axlsx::Package.new
+    ws = p.workbook.add_worksheet do |sheet|
+      sheet.add_row ["-1", "+2"], escape_formulas: true, types: :text
+    end
+    doc = Nokogiri::XML(ws.to_xml_string)
+    doc.remove_namespaces!
+    assert(doc.xpath("//t[text()='-1']").any?)
+    assert(doc.xpath("//t[text()='+2']").any?)
+  end
+
+  def test_to_xml_string_other_owasp_escaped
+    p = Axlsx::Package.new
+    ws = p.workbook.add_worksheet do |sheet|
+      sheet.add_row [
+        "@1",
+        "%2",
+        "|3",
+        "\rfoo",
+        "\tbar"
+      ], escape_formulas: true
+    end
+    doc = Nokogiri::XML(ws.to_xml_string)
+    doc.remove_namespaces!
+    assert(doc.xpath("//t[text()='@1']").any?)
+    assert(doc.xpath("//t[text()='%2']").any?)
+    assert(doc.xpath("//t[text()='|3']").any?)
+    assert(doc.xpath("//t[text()='\nfoo']").any?)
+    assert(doc.xpath("//t[text()='\tbar']").any?)
+  end
+
   def test_to_xml_string_formula_escape_array_parameter
     p = Axlsx::Package.new
     ws = p.workbook.add_worksheet do |sheet|
@@ -414,7 +445,7 @@ class TestCell < Test::Unit::TestCase
   def test_to_xml_string_text_formula
     p = Axlsx::Package.new
     ws = p.workbook.add_worksheet do |sheet|
-      sheet.add_row ["=1+1", "-1+1"], type: :text
+      sheet.add_row ["=1+1", "-1+1"], types: :text
     end
     doc = Nokogiri::XML(ws.to_xml_string)
     doc.remove_namespaces!
-- 
cgit v1.2.3