shihaam/akaunting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1426 from denisdulici/master

Browse Source 
Prevent CSV injection
This commit is contained in:
Denis Duliçi 2020-04-24 23:31:29 +03:00 committed by GitHub
commit a4b8ff44b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Abstracts/Export.php
View File

@ -35,6 +35,8 @@ abstract class Export implements FromCollection, ShouldAutoSize, WithHeadings, W
$date_fields = ['paid_at', 'invoiced_at', 'billed_at', 'due_at', 'issued_at', 'created_at'];
$evil_chars = ['=', '+', '-', '@'];
foreach ($this->fields() as $field) {
$value = $model->$field;
@ -42,6 +44,11 @@ abstract class Export implements FromCollection, ShouldAutoSize, WithHeadings, W
$value = Date::parse($value)->format('Y-m-d');
}
// Prevent CSV injection https://security.stackexchange.com/a/190848
if (Str::startsWith($value, $evil_chars)) {
$value = "'" . $value;
}
$map[] = $value;
}