From f93d7c2b725640d1cde87a37d914893fc61dd363 Mon Sep 17 00:00:00 2001
From: framartin <martin.gubri@framasoft.org>
Date: Sun, 19 Feb 2017 22:54:30 +0100
Subject: [PATCH] Fix Formula Injection in CSV Export

---
 server.js | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 63eff9e..ad48136 100644
--- a/server.js
+++ b/server.js
@@ -575,17 +575,25 @@ function exportBoard( format, client, data )
 					} else if (format === 'csv') {
 						var max = 0;
 						var line = new Array();
+						var patt_vuln = new RegExp("^[=+\-@]");
 						for (var i = 0; i < columns.length; i++) {
 							if (cols[columns[i]].length > max) {
 								max = cols[columns[i]].length;
 							}
-							line.push('"'+columns[i].replace(/"/g,'""')+'"');
+							var val = columns[i].replace(/"/g,'""');
+							if (patt_vuln.test(val)) { // prevent CSV Formula Injection
+								var val = "'"+val;
+							}
+							line.push('"'+val+'"');
 						}
 						text.push(line.join(','));
 						for (var j = 0; j < max; j++) {
 							line = new Array();
 							for (var i = 0; i < columns.length; i++) {
 								var val = (cols[columns[i]][j] !== undefined) ? cols[columns[i]][j]['text'].replace(/"/g,'""') : '';
+								if (patt_vuln.test(val)) { // prevent CSV Formula Injection
+									var val = "'"+val;
+								}
 								line.push('"'+val+'"');
 							}
 							text.push(line.join(','));