** Changed in: mahara/21.04 Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1930471
Title: Exporting of CSV files needs to sanitize data Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Committed Status in Mahara 20.10 series: In Progress Status in Mahara 21.04 series: Fix Committed Bug description: When we export CSV files, like we do in the reports pages, we don't sanitize the output. This means if a person saves data (like their username) beginning with certain characters, eg = or + etc then the data when added into a spreadsheet program will interpret the value as a command. This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities. Though this exploit isn't effecting Mahara itself - it can be the vector of transmission. It will be best if we sanitize the CSV exports to avoid this. A suggestion is to add a TAB character before any string that begins with a susceptible character To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1930471/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp