Suggested CSV Injection mitigation does not survive saving and re-opening in Excel

[xxgreg]

https://github.com/OWASP/www-community/blob/master/pages/attacks/CSV_Injection.md

Excel is commonly used to edit CSV files. Unfortunately when saving CSVs Excel strips out some of the characters which are inserted to prevent the CSV injection. This is unfortunate behaviour from Excel, and should really be fixed there, but I'd like to be able to prevent formulas from being inserted into CSVs and run on my user's computers.

For most outputs it's possible to completely disallow cells starting with "=", and "@", irrespective of quoting. But "-" is obviously required for numbers.

One suggestion for solving this is inserting an extra tab character, which prevents Excel from removing the quotes.

http://georgemauer.net/2017/10/07/csv-injection.html

Reproduction:

Consider the following CSV:

a,b
,"'=1+2"

Open the CSV, focus on the cell with the formula, and then move the focus away. Save the CSV, it is saved as:

a,b
,=1+2

Open the CSV again, the formula is executed and "3" is shown in the cell.

[kingthorin]

@pepe-invest-git please stop making random useless posts.