• caglararli@hotmail.com
  • 05386281520

Preventing CSV Injection

Çağlar Arlı      -    33 Views

Preventing CSV Injection

I am creating an application that takes information from another system and writes reports in CSV format. I am trying to mitigate CSV Injection vulnerabilities on it. I have done some research and I got started with OWASP - CSV Injection where it suggests:

Alternatively, apply the following sanitization to each field of the CSV, so that their content will be read as text by the spreadsheet editor:

  • Wrap each cell field in double quotes
  • Prepend each cell field with a single quote
  • Escape every double quote using an additional double quote

Note: Alternative to escaping individual characters


The way I interpret that bullet pointed list is as it being separated by AND operation, meaning I need to apply those 3 suggestions to properly mitigate the issue.

Doing some more research I came across the following question on Security SE on it, I found a link to this document (also pointed out on the response) where it simply suggests adding a single quote (') at the start of the column. In any case, when I open it (in this case I am on Linux, so I am opening it with LibreOffice) the document ends up looking as follows:

Opening CSV

Where all the cells show as prepended with the suggested single quotation mark. I know this might get mitigated by tweaking the options to open the CSV document, yet we all know that no matter how many instructions are given, users will simply ignore them.

The questions I am having are:

  • Should I apply all 3 suggestions given by OWASP? (From their document and examples it will seem so)
  • Would that be a one size fits all type of solution?
  • How (if at all possible) can I prevent the document from showing that first quotation mark without requiring the user to tune the options to read the document

I also checked on Google Spreadsheets, and the ' character does not show:

Google Spreadsheets

On MS Excel (Which I assume would be the most common case) the ' character is visible:

enter image description here