sonata-project · timwentzell · Jan 6, 2021 · Jan 6, 2021 · Jan 6, 2021 · greg0ire
diff --git a/src/Writer/CsvWriter.php b/src/Writer/CsvWriter.php
@@ -137,6 +137,13 @@ public function write(array $data): void
             EXCEPTION);
         }
 
+        // prevent csv injection
+        $patterns = ['/^=/', '/^\+/', '/^-/', '/^@/'];
+        $replace = ['!=', '!+', '!-', '!@'];
+        foreach ($data as $key => $value) {
+            $data[$key] = preg_replace($patterns, $replace, $value);
+        }
+
         $result = @fputcsv($this->file, $data, $this->delimiter, $this->enclosure, $this->escape);
 
         if (!$result) {

diff --git a/src/Writer/XlsWriter.php b/src/Writer/XlsWriter.php
@@ -78,8 +78,11 @@ public function write(array $data): void
         $this->init($data);
 
         fwrite($this->file, '<tr>');
+        // prevent xls injection
+        $patterns = ['/^=/', '/^\+/', '/^-/', '/^@/'];
+        $replace = ['!=', '!+', '!-', '!@'];
         foreach ($data as $value) {
-            fwrite($this->file, sprintf('<td>%s</td>', $value));
+            fwrite($this->file, sprintf('<td>%s</td>', preg_replace($patterns, $replace, $value)));
         }
         fwrite($this->file, '</tr>');