diff --git a/docs/9.0/interoperability/escape-formula-injection.md b/docs/9.0/interoperability/escape-formula-injection.md index a639da1a..e21be517 100644 --- a/docs/9.0/interoperability/escape-formula-injection.md +++ b/docs/9.0/interoperability/escape-formula-injection.md @@ -14,14 +14,15 @@ The `EscapeFormula` Formatter formats CSV records to reduce [CSV Formula Injecti The `EscapeFormula` class uses the formatter capabilities of the `Writer` object to escape formula injection. ```php -public function __construct(string $escape = "\t", array $special_chars = []) +public function __construct(string $escape = "'", array $special_chars = []) public function __invoke(array $record): array ``` The `EscapeFormula::__construct` method takes two (2) arguments: -- the `$escape` parameter which will be used to prepend the record field, which default to `\t`; -- the `$special_chars` parameter which is an `array` with additional characters that need to be escaped. By default the following characters if found at the start of any record field content will be escaped `+`,`-`,`=`,`@`; +- the `$escape` parameter which will be used to prepend the record field, which default to `'`; +- the `$special_chars` parameter which is an `array` with additional characters that need to be escaped. By default the following characters if found at the start of any record field content will be escaped `+`,`-`,`=`,`@`, `\t`, `\r`; +- for more information see [OWASP - CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection) ```php use League\Csv\EscapeFormula; diff --git a/src/EscapeFormula.php b/src/EscapeFormula.php index 673968d6..3f4245ad 100644 --- a/src/EscapeFormula.php +++ b/src/EscapeFormula.php @@ -33,7 +33,7 @@ class EscapeFormula /** * Spreadsheet formula starting character. */ - const FORMULA_STARTING_CHARS = ['=', '-', '+', '@']; + const FORMULA_STARTING_CHARS = ['=', '-', '+', '@', "\t", "\r"]; /** * Effective Spreadsheet formula starting characters. @@ -56,7 +56,7 @@ class EscapeFormula * @param string[] $special_chars additional spreadsheet formula starting characters * */ - public function __construct(string $escape = "\t", array $special_chars = []) + public function __construct(string $escape = "'", array $special_chars = []) { $this->escape = $escape; if ([] !== $special_chars) { diff --git a/src/EscapeFormulaTest.php b/src/EscapeFormulaTest.php index 6e83f579..a4e9bb6e 100644 --- a/src/EscapeFormulaTest.php +++ b/src/EscapeFormulaTest.php @@ -50,7 +50,7 @@ public function testConstructorThrowsInvalidArgumentException(): void public function testGetEscape(): void { $formatter = new EscapeFormula(); - self::assertSame("\t", $formatter->getEscape()); + self::assertSame("'", $formatter->getEscape()); $formatterBis = new EscapeFormula("\n"); self::assertSame("\n", $formatterBis->getEscape()); } @@ -76,7 +76,7 @@ public function testGetSpecialChars(): void public function testEscapeRecord(): void { $record = ['2', '2017-07-25', 'Important Client', '=2+5', 240, null, (object) 'yes']; - $expected = ['2', '2017-07-25', 'Important Client', "\t=2+5", 240, null, (object) 'yes']; + $expected = ['2', '2017-07-25', 'Important Client', "'=2+5", 240, null, (object) 'yes']; $formatter = new EscapeFormula(); self::assertEquals($expected, $formatter->escapeRecord($record)); } @@ -89,8 +89,8 @@ public function testEscapeRecord(): void */ public function testFormatterOnWriter(): void { - $record = ['2', '2017-07-25', 'Important Client', '=2+5', 240, null]; - $expected = "2,2017-07-25,\"Important Client\",\"\t=2+5\",240,\n"; + $record = ['2', '2017-07-25', 'Important Client', '=2+5', 240, "\ttab", "\rcr", null]; + $expected = "2,2017-07-25,\"Important Client\",'=2+5,240,\"'\ttab\",\"'\rcr\",\n"; $csv = Writer::createFromFileObject(new SplTempFileObject()); $csv->addFormatter(new EscapeFormula()); $csv->insertOne($record);