Skip to content

Commit

Permalink
Use single quote to escape formulas
Browse files Browse the repository at this point in the history
and add tab ```\t``` and carriage return ```\r``` to escaped values
  • Loading branch information
Robert Freigang committed Nov 29, 2021
1 parent b6ac1da commit 1932594
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 9 deletions.
7 changes: 4 additions & 3 deletions docs/9.0/interoperability/escape-formula-injection.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ The `EscapeFormula` Formatter formats CSV records to reduce [CSV Formula Injecti
The `EscapeFormula` class uses the formatter capabilities of the `Writer` object to escape formula injection.

```php
public function __construct(string $escape = "\t", array $special_chars = [])
public function __construct(string $escape = "'", array $special_chars = [])
public function __invoke(array $record): array
```

The `EscapeFormula::__construct` method takes two (2) arguments:

- the `$escape` parameter which will be used to prepend the record field, which default to `\t`;
- the `$special_chars` parameter which is an `array` with additional characters that need to be escaped. By default the following characters if found at the start of any record field content will be escaped `+`,`-`,`=`,`@`;
- the `$escape` parameter which will be used to prepend the record field, which default to `'`;
- the `$special_chars` parameter which is an `array` with additional characters that need to be escaped. By default the following characters if found at the start of any record field content will be escaped `+`,`-`,`=`,`@`, `\t`, `\r`;
- for more information see [OWASP - CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection)

```php
use League\Csv\EscapeFormula;
Expand Down
4 changes: 2 additions & 2 deletions src/EscapeFormula.php
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ class EscapeFormula
/**
* Spreadsheet formula starting character.
*/
const FORMULA_STARTING_CHARS = ['=', '-', '+', '@'];
const FORMULA_STARTING_CHARS = ['=', '-', '+', '@', "\t", "\r"];

/**
* Effective Spreadsheet formula starting characters.
Expand All @@ -56,7 +56,7 @@ class EscapeFormula
* @param string[] $special_chars additional spreadsheet formula starting characters
*
*/
public function __construct(string $escape = "\t", array $special_chars = [])
public function __construct(string $escape = "'", array $special_chars = [])
{
$this->escape = $escape;
if ([] !== $special_chars) {
Expand Down
8 changes: 4 additions & 4 deletions src/EscapeFormulaTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public function testConstructorThrowsInvalidArgumentException(): void
public function testGetEscape(): void
{
$formatter = new EscapeFormula();
self::assertSame("\t", $formatter->getEscape());
self::assertSame("'", $formatter->getEscape());
$formatterBis = new EscapeFormula("\n");
self::assertSame("\n", $formatterBis->getEscape());
}
Expand All @@ -76,7 +76,7 @@ public function testGetSpecialChars(): void
public function testEscapeRecord(): void
{
$record = ['2', '2017-07-25', 'Important Client', '=2+5', 240, null, (object) 'yes'];
$expected = ['2', '2017-07-25', 'Important Client', "\t=2+5", 240, null, (object) 'yes'];
$expected = ['2', '2017-07-25', 'Important Client', "'=2+5", 240, null, (object) 'yes'];
$formatter = new EscapeFormula();
self::assertEquals($expected, $formatter->escapeRecord($record));
}
Expand All @@ -89,8 +89,8 @@ public function testEscapeRecord(): void
*/
public function testFormatterOnWriter(): void
{
$record = ['2', '2017-07-25', 'Important Client', '=2+5', 240, null];
$expected = "2,2017-07-25,\"Important Client\",\"\t=2+5\",240,\n";
$record = ['2', '2017-07-25', 'Important Client', '=2+5', 240, "\ttab", "\rcr", null];
$expected = "2,2017-07-25,\"Important Client\",'=2+5,240,\"'\ttab\",\"'\rcr\",\n";
$csv = Writer::createFromFileObject(new SplTempFileObject());
$csv->addFormatter(new EscapeFormula());
$csv->insertOne($record);
Expand Down

0 comments on commit 1932594

Please sign in to comment.