Bug Description
src/lib/csv.ts (csvCell/toCsv) only escapes commas, quotes, and newlines. It does not neutralize leading =, +, -, or @ characters. This CSV is used in GET /api/user/export for contributions.csv. If any exported field (e.g. a repo name, goal title) begins with one of these characters, opening the file in Excel or Google Sheets can execute it as a formula — a well-known CSV injection vector (CWE-1236).
Steps to Reproduce
- Create a goal or otherwise get a user-controlled string field starting with = (e.g. =1+1 or =HYPERLINK(...)) into exportable data.
- Trigger GET /api/user/export.
- Open the resulting contributions.csv in Excel/Google Sheets — the formula executes instead of displaying as text.
Affected Area
API Routes
Screenshots
NA
Browser & OS
No response
Environment
Both
Additional Context
Fix is to prefix cell values starting with =, +, -, @, tab, or CR with a single quote ' before quoting, per OWASP CSV injection guidance.
I want to work on this under GSSoC
/assign
Bug Description
src/lib/csv.ts (csvCell/toCsv) only escapes commas, quotes, and newlines. It does not neutralize leading =, +, -, or @ characters. This CSV is used in GET /api/user/export for contributions.csv. If any exported field (e.g. a repo name, goal title) begins with one of these characters, opening the file in Excel or Google Sheets can execute it as a formula — a well-known CSV injection vector (CWE-1236).
Steps to Reproduce
Affected Area
API Routes
Screenshots
NA
Browser & OS
No response
Environment
Both
Additional Context
Fix is to prefix cell values starting with =, +, -, @, tab, or CR with a single quote ' before quoting, per OWASP CSV injection guidance.
I want to work on this under GSSoC
/assign