Does Handsontable Prevents CSV/Formula Injection?

sumit.baudh · 31 May 2022 13:20

I was working with handsontable and figured out that it doesn’t prevent CSV Injection in the table as google spreadsheet does.

CSV injection defination- https://owasp.org/www-community/attacks/CSV_Injection

warpech · 31 May 2022 13:11

We treat such concerns very seriously, and we will investigate that. To start with, please note that:

Handsontable does not have built-in support for the CSV file format. If a user loads a CSV file, it must be through some external integration code and should be sanitized there.
Handsontable, when run in the supported software (web browsers), is isolated from the operating system, so the formulas do not have access to the operating system.
On the above screenshot, it seems that the formulas were pasted from an external source. Pasting formulas from the system clipboard is actually a feature. The same works when you paste from Excel to Google Sheets. If you’d like to disable that, there is a hook for that: https://handsontable.com/docs/api/hooks/#beforepaste

Do you have a recommendation on what we could do to increase the security when dealing with formula input?