[OutSystems Data Grid] Formula Injection Remediation for CSV/Excel Download
data-grid-reactive
Reactive icon
Forge component by Platform Maintenance
Application Type
Reactive
Service Studio Version
11.14.7 (Build 58100)
Platform Version
11.9.1 (Build 20359)

Hi,

We have done a penetration test recently and found a potential risk on CSV/Excel download from data grid, which is related to formula injection issue, where the cell value start with "=","+","-" and "@".

We are implementing fix now to ensure no "=","+","-" and "@" has been input by user as first characters for most of the fields.

But we still have some exception scenarios where some field values may have those 4 characters as first characters in string, which we sourced from other systems and we have no control to restrict the user input.

According to remediation suggestion we can append a single quote at the beginning for the cell value having those characters so it will be interpreted as data and not as formulas.

Does anyone can share idea how to prefix the value in the data grid csv/excel export with a single quote (') in the cell value?

Regards,
Soon

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.