Browse Source

fix: sanitize user data while generating csv to avoid formula injection

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/894/head
Pranav C 3 years ago
parent
commit
079e3abe98
  1. 9
      packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts

9
packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts

@ -2556,7 +2556,8 @@ class BaseModelSql extends BaseModel {
} }
} }
const data = Papaparse.unparse({ const data = Papaparse.unparse(
{
fields: fields:
fields && fields &&
fields.filter( fields.filter(
@ -2565,7 +2566,11 @@ class BaseModelSql extends BaseModel {
this.virtualColumns.some(c => c._cn === f) this.virtualColumns.some(c => c._cn === f)
), ),
data: csvRows data: csvRows
}); },
{
escapeFormulae: true
}
);
return { data, offset, elapsed }; return { data, offset, elapsed };
} }

Loading…
Cancel
Save