From 29f1dd5f5e93baa289aba3bb1a364772fa06dcf8 Mon Sep 17 00:00:00 2001
From: Basil Suter <git@nadar.io>
Date: Thu, 7 Apr 2022 14:09:59 +0000
Subject: [PATCH 1/4] sanitizer

---
 src/helpers/ExportHelper.php       | 20 +++++++++++++++-----
 tests/helpers/ExportHelperTest.php |  2 +-
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/helpers/ExportHelper.php b/src/helpers/ExportHelper.php
index 44e2fcb..2f1bbaa 100644
--- a/src/helpers/ExportHelper.php
+++ b/src/helpers/ExportHelper.php
@@ -179,13 +179,23 @@ protected static function generateRow(array $row, $delimiter, $enclose)
             } elseif (!is_scalar($item)) {
                 $item = "[array]";
             }
-            $item = $enclose.str_replace([
-                '"',
-            ], [
-                '""',
-            ], $item).$enclose;
+            $item = $enclose.self::sanitizeValue($item).$enclose;
         });
 
         return implode($delimiter, $row) . PHP_EOL;
     }
+
+    /**
+     * Undocumented function
+     *
+     * @param [type] $value
+     * @return void
+     * @see https://owasp.org/www-community/attacks/CSV_Injection
+     */
+    public static function sanitizeValue($value)
+    {
+        return str_replace([
+            '";', '",', '"', "'"
+        ], '', trim($value));
+    }
 }
diff --git a/tests/helpers/ExportHelperTest.php b/tests/helpers/ExportHelperTest.php
index 2e18b4d..3000b5f 100644
--- a/tests/helpers/ExportHelperTest.php
+++ b/tests/helpers/ExportHelperTest.php
@@ -139,6 +139,6 @@ public function testSpecialCharsEncoding()
             ['&', "'", 'a"b"c'],
         ], [], false);
 
-        $this->assertSameTrimmed('"&","\'","a""b""c"', $content);
+        $this->assertSameTrimmed('"&","","abc"', $content);
     }
 }

From bbda4be6cc0229fa29ec5e481a8381e0022debfe Mon Sep 17 00:00:00 2001
From: Basil Suter <git@nadar.io>
Date: Thu, 21 Apr 2022 12:40:49 +0000
Subject: [PATCH 2/4] escape formula inputs

---
 src/helpers/ExportHelper.php       | 22 +++++++++++++++-------
 tests/helpers/ExportHelperTest.php |  3 ++-
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/helpers/ExportHelper.php b/src/helpers/ExportHelper.php
index 2f1bbaa..d3f3618 100644
--- a/src/helpers/ExportHelper.php
+++ b/src/helpers/ExportHelper.php
@@ -186,16 +186,24 @@ protected static function generateRow(array $row, $delimiter, $enclose)
     }
 
     /**
-     * Undocumented function
-     *
-     * @param [type] $value
-     * @return void
+     * 
+     * @param string $value
+     * @return string
      * @see https://owasp.org/www-community/attacks/CSV_Injection
      */
     public static function sanitizeValue($value)
     {
-        return str_replace([
-            '";', '",', '"', "'"
-        ], '', trim($value));
+        $value = str_replace([
+            '"',
+        ], [
+            '""',
+        ], trim($value));
+
+        $firstChar = substr($value, 0, 1);
+        if (in_array($firstChar, ['=', '+', '-', '@', PHP_EOL, "\t", "\n"])) {
+            $value = StringHelper::replaceFirst($firstChar, "'$firstChar", $value);
+        }
+
+        return $value;
     }
 }
diff --git a/tests/helpers/ExportHelperTest.php b/tests/helpers/ExportHelperTest.php
index 3000b5f..fb25cc9 100644
--- a/tests/helpers/ExportHelperTest.php
+++ b/tests/helpers/ExportHelperTest.php
@@ -137,8 +137,9 @@ public function testSpecialCharsEncoding()
     {
         $content = ExportHelper::csv([
             ['&', "'", 'a"b"c'],
+            ['nix', 'nix', '=1+2";=1+2']
         ], [], false);
 
-        $this->assertSameTrimmed('"&","","abc"', $content);
+        $this->assertSameTrimmed('"&","\'","a""b""c" "nix","nix","\'=1+2"";=1+2"', $content);
     }
 }

From 412b09f2119c9c4fb509085106f0b7b401b1195b Mon Sep 17 00:00:00 2001
From: Basil Suter <git@nadar.io>
Date: Thu, 21 Apr 2022 12:42:04 +0000
Subject: [PATCH 3/4] changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fb40157..c86c295 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/).
 
+## 1.2.1 (21. April 2022)
+
++ [#7](https://github.com/luyadev/yii-helpers/pull/7) Fixed security issue with csv injection for formulas and functions.
+
 ## 1.2.0 (15. June 2021)
 
 + [#4](https://github.com/luyadev/yii-helpers/pull/4) Added option to define the delimiter in `StringHelper::template` function.

From 63874c7438320bd824ce8f556a4a1d340ebfd5a3 Mon Sep 17 00:00:00 2001
From: Basil Suter <git@nadar.io>
Date: Thu, 21 Apr 2022 12:43:37 +0000
Subject: [PATCH 4/4] phpdocs [skip ci]

---
 src/helpers/ExportHelper.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/helpers/ExportHelper.php b/src/helpers/ExportHelper.php
index d3f3618..dfec6f0 100644
--- a/src/helpers/ExportHelper.php
+++ b/src/helpers/ExportHelper.php
@@ -186,10 +186,12 @@ protected static function generateRow(array $row, $delimiter, $enclose)
     }
 
     /**
+     * Sanitize Certain Values to increase security from user generated output.
      * 
      * @param string $value
      * @return string
      * @see https://owasp.org/www-community/attacks/CSV_Injection
+     * @since 1.2.1
      */
     public static function sanitizeValue($value)
     {