From ada9b89149a2b69eba4670b26db6d9b3c695f779 Mon Sep 17 00:00:00 2001 From: Tim Wentzell Date: Wed, 6 Jan 2021 12:20:40 -0400 Subject: [PATCH] Prevent csv/xls injection (#429) --- src/Writer/CsvWriter.php | 7 +++++++ src/Writer/XlsWriter.php | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/Writer/CsvWriter.php b/src/Writer/CsvWriter.php index e635b02d..d97023f7 100644 --- a/src/Writer/CsvWriter.php +++ b/src/Writer/CsvWriter.php @@ -137,6 +137,13 @@ public function write(array $data): void EXCEPTION); } + // prevent csv injection + $patterns = ['/^=/', '/^\+/', '/^-/', '/^@/']; + $replace = ['!=', '!+', '!-', '!@']; + foreach ($data as $key => $value) { + $data[$key] = preg_replace($patterns, $replace, $value); + } + $result = @fputcsv($this->file, $data, $this->delimiter, $this->enclosure, $this->escape); if (!$result) { diff --git a/src/Writer/XlsWriter.php b/src/Writer/XlsWriter.php index 49327e27..43ad5a2c 100644 --- a/src/Writer/XlsWriter.php +++ b/src/Writer/XlsWriter.php @@ -78,8 +78,11 @@ public function write(array $data): void $this->init($data); fwrite($this->file, ''); + // prevent xls injection + $patterns = ['/^=/', '/^\+/', '/^-/', '/^@/']; + $replace = ['!=', '!+', '!-', '!@']; foreach ($data as $value) { - fwrite($this->file, sprintf('%s', $value)); + fwrite($this->file, sprintf('%s', preg_replace($patterns, $replace, $value))); } fwrite($this->file, '');