From 079e3abe98a054f5304592def7a0e8fdb9b06eee Mon Sep 17 00:00:00 2001
From: Pranav C <pranavxc@gmail.com>
Date: Mon, 20 Dec 2021 15:41:46 +0530
Subject: [PATCH] fix: sanitize user data while generating csv to avoid formula
 injection

Signed-off-by: Pranav C <pranavxc@gmail.com>
---
 .../lib/dataMapper/lib/sql/BaseModelSql.ts    | 25 +++++++++++--------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts b/packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts
index 28a0931b9a..7855d75281 100644
--- a/packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts
+++ b/packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts
@@ -2556,16 +2556,21 @@ class BaseModelSql extends BaseModel {
       }
     }
 
-    const data = Papaparse.unparse({
-      fields:
-        fields &&
-        fields.filter(
-          f =>
-            this.columns.some(c => c._cn === f) ||
-            this.virtualColumns.some(c => c._cn === f)
-        ),
-      data: csvRows
-    });
+    const data = Papaparse.unparse(
+      {
+        fields:
+          fields &&
+          fields.filter(
+            f =>
+              this.columns.some(c => c._cn === f) ||
+              this.virtualColumns.some(c => c._cn === f)
+          ),
+        data: csvRows
+      },
+      {
+        escapeFormulae: true
+      }
+    );
     return { data, offset, elapsed };
   }