Description
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program opens a CSV, any cell starting with =
is interpreted by the software as a formula and could be abused by an attacker.
In Symfony 4.1, we've added the opt-in csv_escape_formulas
option in CsvEncoder
, to prefix all cells starting by =
, +
, -
or @
by a tab \t
.