Browse Source

fix: sanitize user data while generating csv to avoid formula injection

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/894/head
Pranav C 3 years ago
parent
commit
079e3abe98
  1. 25
      packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts

25
packages/nocodb/src/lib/dataMapper/lib/sql/BaseModelSql.ts

@ -2556,16 +2556,21 @@ class BaseModelSql extends BaseModel {
}
}
const data = Papaparse.unparse({
fields:
fields &&
fields.filter(
f =>
this.columns.some(c => c._cn === f) ||
this.virtualColumns.some(c => c._cn === f)
),
data: csvRows
});
const data = Papaparse.unparse(
{
fields:
fields &&
fields.filter(
f =>
this.columns.some(c => c._cn === f) ||
this.virtualColumns.some(c => c._cn === f)
),
data: csvRows
},
{
escapeFormulae: true
}
);
return { data, offset, elapsed };
}

Loading…
Cancel
Save