Last active
September 16, 2023 07:56
-
-
Save seanieb/1939fd1bc24db7980c5c0c8e09524b04 to your computer and use it in GitHub Desktop.
Prevent CSV Injection when suing user generated data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def escape_csv(user_generated_string): | |
| """ | |
| CSV injection esacaping for Python. Excel treats a string as active content when it encounters a | |
| "trigger" character at the start of the string. This method returns the string with | |
| the triger character escaped. | |
| """ | |
| if user_generated_string[0] in ('@','+','-', '='): | |
| user_generated_string = "'" + user_generated_string | |
| return user_generated_string | |
| # Example | |
| user_generated_string = '@bob' | |
| print escape_csv(user_generated_string) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've added an updated escape, in a fork :)
The issue here isn't the
@character, or=,+,-. The problem is with the pipe (|) character, which Excel and other applications use to execute arbitrary commands. From research the best workaround is to escape the pipe character using a\.This is due to excel looking for an executable named cmd.exe however when adding a\into the path the exe will not launch hence escaping and fixing the issue.