You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add line feed (0x0A) to CSV injection character escape list (#1116)
- Added Line feed (0x0A) to the list of characters to escape for CSV injection prevention
- This ensures more complete and platform-agnostic guidance for developers
- Addresses the gap where Unix-based systems using \n as default newline character were not explicitly covered
- Fixes issue #1115
Copy file name to clipboardExpand all lines: pages/attacks/CSV_Injection.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,6 +33,7 @@ begin with any of the following characters:
33
33
- At (`@`)
34
34
- Tab (`0x09`)
35
35
- Carriage return (`0x0D`)
36
+
- Line feed (`0x0A`)
36
37
37
38
Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., '`,`', or '`;`') and quotes (e.g., `'`, or `"`), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.
0 commit comments