Ghost

History

Daniel Lockyer de668e7950 🔒 Added escaping to member export CSV fields fix https://linear.app/tryghost/issue/ENG-805/ refs https://owasp.org/www-community/attacks/CSV_Injection - it's possible for certain fields in a member CSV export to be executed by software that opens the CSVs - we can protect against this for the user by escaping any forumulae in the CSV fields - papaparse provides this option natively, so it's just a case of providing the field to the unparse method - credits to Harvey Spec (phulelouch) for reporting	2024-04-03 10:21:02 +02:00
..
parse.js	🐛 Handled BOM character for Unicode encoded file uploads (#17104 )	2023-06-23 08:31:16 +02:00
unparse.js	🔒 Added escaping to member export CSV fields	2024-04-03 10:21:02 +02:00

Daniel Lockyer de668e7950 🔒 Added escaping to member export CSV fields

fix https://linear.app/tryghost/issue/ENG-805/
refs https://owasp.org/www-community/attacks/CSV_Injection

- it's possible for certain fields in a member CSV export to be executed
  by software that opens the CSVs
- we can protect against this for the user by escaping any forumulae in
  the CSV fields
- papaparse provides this option natively, so it's just a case of
  providing the field to the unparse method
- credits to Harvey Spec (phulelouch) for reporting

2024-04-03 10:21:02 +02:00

parse.js

🐛 Handled BOM character for Unicode encoded file uploads (#17104 )

2023-06-23 08:31:16 +02:00

unparse.js

🔒 Added escaping to member export CSV fields

2024-04-03 10:21:02 +02:00