Skip to content

Commit cdb39d4

Browse files
author
dtbuild
committed
3cab48583da254adb44e6c00b7bcd13023563712 New: Add escapeExcelFormula to -api buttons.exportData() and enable it by default for the CSV export button to prevent possible formula injection.
https://datatables.net/forums/discussion/80069 Sync to source repo @3cab48583da254adb44e6c00b7bcd13023563712
1 parent 2138813 commit cdb39d4

9 files changed

+29
-7
lines changed

datatables.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -25,5 +25,5 @@
2525
],
2626
"src-repo": "http://github.com/DataTables/Buttons",
2727
"last-tag": "3.1.2",
28-
"last-sync": "fe105bc93f50921112e4f66a698b3312395c9a6a"
28+
"last-sync": "3cab48583da254adb44e6c00b7bcd13023563712"
2929
}

js/buttons.html5.js

+3-1
Original file line numberDiff line numberDiff line change
@@ -1117,7 +1117,9 @@ DataTable.ext.buttons.csvHtml5 = {
11171117

11181118
extension: '.csv',
11191119

1120-
exportOptions: {},
1120+
exportOptions: {
1121+
escapeExcelFormula: true
1122+
},
11211123

11221124
fieldSeparator: ',',
11231125

js/buttons.html5.min.js

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

js/buttons.html5.min.mjs

+1-1
Large diffs are not rendered by default.

js/buttons.html5.mjs

+3-1
Original file line numberDiff line numberDiff line change
@@ -1074,7 +1074,9 @@ DataTable.ext.buttons.csvHtml5 = {
10741074

10751075
extension: '.csv',
10761076

1077-
exportOptions: {},
1077+
exportOptions: {
1078+
escapeExcelFormula: true
1079+
},
10781080

10791081
fieldSeparator: ',',
10801082

js/dataTables.buttons.js

+9
Original file line numberDiff line numberDiff line change
@@ -2016,6 +2016,14 @@ Buttons.stripData = function (str, config) {
20162016
}
20172017
}
20182018

2019+
// Prevent Excel from running a formula
2020+
if (!config || config.escapeExcelFormula) {
2021+
if (str.match(/^[=+\-@\t\r]/)) {
2022+
console.log('matching and updateing');
2023+
str = "'" + str;
2024+
}
2025+
}
2026+
20192027
return str;
20202028
};
20212029

@@ -2738,6 +2746,7 @@ var _exportData = function (dt, inOpts) {
27382746
stripHtml: true,
27392747
stripNewlines: true,
27402748
decodeEntities: true,
2749+
escapeExcelFormula: false,
27412750
trim: true,
27422751
format: {
27432752
header: function (d) {

js/dataTables.buttons.min.js

+1-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

js/dataTables.buttons.min.mjs

+1-1
Large diffs are not rendered by default.

js/dataTables.buttons.mjs

+9
Original file line numberDiff line numberDiff line change
@@ -1976,6 +1976,14 @@ Buttons.stripData = function (str, config) {
19761976
}
19771977
}
19781978

1979+
// Prevent Excel from running a formula
1980+
if (!config || config.escapeExcelFormula) {
1981+
if (str.match(/^[=+\-@\t\r]/)) {
1982+
console.log('matching and updateing');
1983+
str = "'" + str;
1984+
}
1985+
}
1986+
19791987
return str;
19801988
};
19811989

@@ -2698,6 +2706,7 @@ var _exportData = function (dt, inOpts) {
26982706
stripHtml: true,
26992707
stripNewlines: true,
27002708
decodeEntities: true,
2709+
escapeExcelFormula: false,
27012710
trim: true,
27022711
format: {
27032712
header: function (d) {

0 commit comments

Comments
 (0)