Use ' instead of backspace for escaping in csv export (#41163)

* Use ' instead of backspace for escaping * Update tests * Update dead link * Update test case title * Add changelog * Fix typo in changelog * Escape tab and carriage return chars too --------- Co-authored-by: Anurag Bhandari <anurag@automattic.com>
2023-11-15 11:29:55 +02:00 · 2023-11-15 11:29:55 +02:00 · 23df9a59e9
parent d4bcae78f9
commit 23df9a59e9
4 changed files with 27 additions and 7 deletions
--- a/packages/js/csv-export/changelog/add-change-csv-export-escape-char
+++ b/packages/js/csv-export/changelog/add-change-csv-export-escape-char
@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Use single quote instead of tab for escaping in CSV exports.
--- a/packages/js/csv-export/src/mocks/mock-csv-data.js
+++ b/packages/js/csv-export/src/mocks/mock-csv-data.js
@ -1,2 +1,2 @@
 export default `Date,Orders,Description,"Total sales",Refunds,Coupons,Taxes,Shipping,"Net sales","Negative number"
-2018-04-29T00:00:00,30,"Lorem, ""ipsum""",200,19,19,100,19,200,"\t-123"`;
+2018-04-29T00:00:00,30,"Lorem, ""ipsum""",200,19,19,100,19,200,"'-123"`;
--- a/packages/js/csv-export/src/index.ts
+++ b/packages/js/csv-export/src/index.ts
@ -20,10 +20,19 @@ function escapeCSVValue( value: string | number ) {
 	let stringValue = value.toString();

 	// Prevent CSV injection.
-	// See: http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
+	// See: https://owasp.org/www-community/attacks/CSV_Injection
 	// See: WC_CSV_Exporter::escape_data()
-	if ( [ '=', '+', '-', '@' ].includes( stringValue.charAt( 0 ) ) ) {
-		stringValue = '"\t' + stringValue + '"';
+	if (
+		[
+			'=',
+			'+',
+			'-',
+			'@',
+			String.fromCharCode( 0x09 ), // tab
+			String.fromCharCode( 0x0d ), // carriage return
+		].includes( stringValue.charAt( 0 ) )
+	) {
+		stringValue = '"\'' + stringValue + '"';
 	} else if ( stringValue.match( /[,"\s]/ ) ) {
 		stringValue = '"' + stringValue.replace( /"/g, '""' ) + '"';
 	}
--- a/packages/js/csv-export/src/test/index.ts
+++ b/packages/js/csv-export/src/test/index.ts
@ -33,9 +33,16 @@ describe( 'generateCSVDataFromTable', () => {
 		);
 	} );

-	it( 'should prefix tab character when the cell value starts with one of =, +, -, and @', () => {
-		[ '=', '+', '-', '@' ].forEach( ( val ) => {
-			const expected = 'value\n"\t' + val + 'test"';
+	it( 'should prefix single quote character when the cell value starts with one of =, +, -, @, tab, and carriage return', () => {
+		[
+			'=',
+			'+',
+			'-',
+			'@',
+			String.fromCharCode( 0x09 ), // tab
+			String.fromCharCode( 0x0d ), // carriage return
+		].forEach( ( val ) => {
+			const expected = 'value\n"\'' + val + 'test"';
 			const result = generateCSVDataFromTable(
 				[
 					{