3cab48583da254adb44e6c00b7bcd13023563712 New: Add `escapeExcelFormula…

…` to `-api buttons.exportData()` and enable it by default for the CSV export button to prevent possible formula injection. https://datatables.net/forums/discussion/80069 Sync to source repo @3cab48583da254adb44e6c00b7bcd13023563712
DataTables · Oct 17, 2024 · cdb39d4 · cdb39d4
1 parent 2138813
commit cdb39d4
Show file tree

Hide file tree

Showing 9 changed files with 29 additions and 7 deletions.
diff --git a/datatables.json b/datatables.json
@@ -25,5 +25,5 @@
     ],
     "src-repo": "http://github.com/DataTables/Buttons",
     "last-tag": "3.1.2",
-    "last-sync": "fe105bc93f50921112e4f66a698b3312395c9a6a"
+    "last-sync": "3cab48583da254adb44e6c00b7bcd13023563712"
 }
diff --git a/js/buttons.html5.js b/js/buttons.html5.js
@@ -1117,7 +1117,9 @@ DataTable.ext.buttons.csvHtml5 = {
 
 	extension: '.csv',
 
-	exportOptions: {},
+	exportOptions: {
+		escapeExcelFormula: true
+	},
 
 	fieldSeparator: ',',
 

diff --git a/js/buttons.html5.min.js b/js/buttons.html5.min.js
diff --git a/js/buttons.html5.min.mjs b/js/buttons.html5.min.mjs
diff --git a/js/buttons.html5.mjs b/js/buttons.html5.mjs
@@ -1074,7 +1074,9 @@ DataTable.ext.buttons.csvHtml5 = {
 
 	extension: '.csv',
 
-	exportOptions: {},
+	exportOptions: {
+		escapeExcelFormula: true
+	},
 
 	fieldSeparator: ',',
 

diff --git a/js/dataTables.buttons.js b/js/dataTables.buttons.js
@@ -2016,6 +2016,14 @@ Buttons.stripData = function (str, config) {
 		}
 	}
 
+	// Prevent Excel from running a formula
+	if (!config || config.escapeExcelFormula) {
+		if (str.match(/^[=+\-@\t\r]/)) {
+			console.log('matching and updateing');
+			str = "'" + str;
+		}
+	}
+
 	return str;
 };
 
@@ -2738,6 +2746,7 @@ var _exportData = function (dt, inOpts) {
 			stripHtml: true,
 			stripNewlines: true,
 			decodeEntities: true,
+			escapeExcelFormula: false,
 			trim: true,
 			format: {
 				header: function (d) {

diff --git a/js/dataTables.buttons.min.js b/js/dataTables.buttons.min.js
diff --git a/js/dataTables.buttons.min.mjs b/js/dataTables.buttons.min.mjs
diff --git a/js/dataTables.buttons.mjs b/js/dataTables.buttons.mjs
@@ -1976,6 +1976,14 @@ Buttons.stripData = function (str, config) {
 		}
 	}
 
+	// Prevent Excel from running a formula
+	if (!config || config.escapeExcelFormula) {
+		if (str.match(/^[=+\-@\t\r]/)) {
+			console.log('matching and updateing');
+			str = "'" + str;
+		}
+	}
+
 	return str;
 };
 
@@ -2698,6 +2706,7 @@ var _exportData = function (dt, inOpts) {
 			stripHtml: true,
 			stripNewlines: true,
 			decodeEntities: true,
+			escapeExcelFormula: false,
 			trim: true,
 			format: {
 				header: function (d) {