Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save ZephrFish/ab951ca43d95f68e557c9c2e5ca6f2cc to your computer and use it in GitHub Desktop.
Save ZephrFish/ab951ca43d95f68e557c9c2e5ca6f2cc to your computer and use it in GitHub Desktop.
Prevent CSV Injection when suing user generated data
def escape_csv(payload):
if payload[0] in ('@','+','-', '=', '|'):
payload = "'" + payload
payload = payload.replace("|", "\|")
return payload
# Example
payload = "@cmd|' /C calc'!A0"
print("The Unescaped version is: " + payload)
print("When passed though escape function the value is: " + escape_csv(payload))
@gregsadetsky
Copy link

gregsadetsky commented Jul 5, 2017

Tiny comment: the last two lines should instead be

print "The Unescaped version is: " + payload
print "When passed though escape function the value is: " + escape_csv(payload)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment