View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0036991 | mantisbt | security | public | 2026-03-23 08:40 | 2026-03-23 08:48 |
| Reporter | dregad | Assigned To | dregad | ||
| Priority | high | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 2.25.3 | ||||
| Target Version | 2.28.2 | Fixed in Version | 2.28.2 | ||
| Summary | 0036991: Improve protection against CSV injection | ||||
| Description | Issue 0029130 introduced an option to reduce risk of CSV injection. The original fix works as-is, but according to OWASP [1], when prefixing a string with tab to avoid CSV injection, the string should always be quoted. | ||||
| Tags | No tags attached. | ||||
|
MantisBT: master-2.28 65c2dd3e 2026-03-19 14:29 Details Diff |
Always quote tab-prefixed CSV string when escaping According to OWASP [1], when prefixing a string with tab to avoid CSV injection, the string should always be quoted. Improves fix for Issue 0029130. Fixes 0036991 [1]: https://owasp.org/www-community/attacks/CSV_Injection#excel-resistant-mitigation |
Affected Issues 0029130, 0036991 |
|
| mod - core/csv_api.php | Diff File | ||
