From bae200edd754ebd04a32d30ba2c66a81d5612ed0 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Fri, 30 Sep 2022 09:29:17 -0700
Subject: [PATCH] Use EscapeFormula() in CSV export

Signed-off-by: snipe <snipe@snipe.net>
---
 app/Http/Controllers/ReportsController.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/ReportsController.php b/app/Http/Controllers/ReportsController.php
index c7e5bf74ac95..f3d69247428f 100644
--- a/app/Http/Controllers/ReportsController.php
+++ b/app/Http/Controllers/ReportsController.php
@@ -22,7 +22,7 @@
 use Input;
 use League\Csv\Reader;
 use Symfony\Component\HttpFoundation\StreamedResponse;
-
+use League\Csv\EscapeFormula;
 /**
  * This controller handles all actions related to Reports for
  * the Snipe-IT Asset Management application.
@@ -666,6 +666,9 @@ public function postCustom(Request $request)
                 $executionTime = microtime(true) - $_SERVER['REQUEST_TIME_FLOAT'];
                 \Log::debug('Walking results: '.$executionTime);
                 $count = 0;
+
+                $formatter = new EscapeFormula("`");
+
                 foreach ($assets as $asset) {
                     $count++;
                     $row = [];
@@ -855,7 +858,7 @@ public function postCustom(Request $request)
                             $row[] = $asset->$column_name;
                         }
                     }
-                    fputcsv($handle, $row);
+                    fputcsv($handle, $formatter->escapeRecord($row));
                     $executionTime = microtime(true) - $_SERVER['REQUEST_TIME_FLOAT'];
                     \Log::debug('-- Record '.$count.' Asset ID:'.$asset->id.' in '.$executionTime);
                 }