shihaam/akaunting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prevent csv injection

Browse Source
This commit is contained in:
denisdulici 2020-04-24 23:28:43 +03:00
parent a884e06b72
commit 54478d1a6a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Abstracts/Export.php
View File

@ -35,6 +35,8 @@ abstract class Export implements FromCollection, ShouldAutoSize, WithHeadings, W
$date_fields = ['paid_at', 'invoiced_at', 'billed_at', 'due_at', 'issued_at', 'created_at']; $date_fields = ['paid_at', 'invoiced_at', 'billed_at', 'due_at', 'issued_at', 'created_at'];
$evil_chars = ['=', '+', '-', '@'];
foreach ($this->fields() as $field) { foreach ($this->fields() as $field) {
$value = $model->$field; $value = $model->$field;
@ -42,6 +44,11 @@ abstract class Export implements FromCollection, ShouldAutoSize, WithHeadings, W
$value = Date::parse($value)->format('Y-m-d'); $value = Date::parse($value)->format('Y-m-d');
} }
// Prevent CSV injection https://security.stackexchange.com/a/190848
if (Str::startsWith($value, $evil_chars)) {
$value = "'" . $value;
}
$map[] = $value; $map[] = $value;
} }