On Thu, 11 Nov 2021 at 11:36, P. Ottlinger <pottlin...@apache.org> wrote: > > Hi guys, > > thanks for your reply. > > Maybe I'm misinterpreting something but I thought that it could be made > possible to configure CSVFormat-object when writing the CSV data in a > way that any data with possibly corrupting values (as shown on the OWASP > page) will mask the whole contents of the cell. > > Thus a library such as commons-csv would be able to lower the risk for > CSV injection and not every client/customer would have to manually > create this protecting logic. > > To my mind it's a simple parser for "dangerous" tokens that quotes the > given data with additional " .... as we do not need to write > functioning Excel formulas into CSV. > > WDYT?
As the others have said, this is the wrong place to be looking to fix the problem. CSV files are used for lots of things other than spreadsheets, so what is dangerous in one application might be essential in another. Besides, not all CSV files will be processed by Commons CSV on their route to a spreadsheet app. Such checks need to be made at the input to the application that processes it. > Cheers, > Phil > > Am 10.11.21 um 20:53 schrieb Gary Gregory: > > I agree with Matt. CSV is just a container, it doesn't know or care what > > the concept of a "formula" is. > > > > Gary > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
