[data grid] Sanitize cells with formulas for CSV export used in Excel

[cherniavskii]

Summary

https://groups.google.com/u/0/a/mui.com/g/security/c/L5bFSD3uwF8

Examples

No response

Motivation

No response

Search keywords: csv excel

[MBilalShafi]

We could do this along with introducing a value getter/serializer which would also allow the users to customize the exported values on top of sanitization.
Here's a related issue: #8193

[oliviertassinari]

There seem to be a couple of opportunities to improve the CSV export features. I tried to rank these:

1. It feels like we are missing callbacks for developers to customize the exports. For example, a callback for each CSV export cell, a callback for each Excel call, a flag to say if valueFormatter should be used or not per column, etc.

2. We could have an opt-in flag to escape formulas by default. See:
   
   http://georgemauer.net/2017/10/07/csv-injection.html

So for instance https://www.ag-grid.com/react-data-grid/csv-export/#security-concerns not being opt-in feels borderline.

Should this be opt-out? https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection suggests that it shouldn't. CSV has other applications, we might not be able to make an escaping logic that doesn't break some other types of applications. I wouldn't be against trying, just don't know if it would work. The root problem is really Excel.

I can't find anyone who makes this opt-out and it's rare to even find CSV libraries who have an option for it, e.g. FasterXML/jackson-dataformats-text#326 (comment), but then this is very strange UX to me:

Screen.Recording.2024-01-16.at.20.56.06.mov

3. It would be great to have interactive playground demos where developers can see the actual CSV exports https://mui.com/x/react-data-grid/export/#csv-export.
4. I don't know about having the apiRef at the bottom of the page https://mui.com/x/react-data-grid/export/#apiref. Feel like this should be one per section (CSV, Excel, Print). I initially didn't realize how to use the CSV export. I mean, the whole page needs to be read right now, even if you are only interested in one of these 3 exports. This move could help.

[mauro-ni]

Good morning,
I'm commenting on this issue to find out when a resolution is expected.

We have a dozen applications with a total of about fifty DataGridPremium instances, some of them have a lot of columns.
An ad hoc resolution could be costly and complicated (to avoid duplication of escaping logic).

An opt-in/opt-out solution with a flag on the DataGridPremium component and/or single column would be ideal.

Thank you.

Mauro

Premium subscription Order ID: 47709

[cherniavskii]

Hi Mauro,
I'm handling the community support this week, I'll look into it.
You can expect a solution by the end of next week.

[github-actions]

⚠️ This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue.
Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.

@cherniavskii: How did we do? Your experience with our support team matters to us. If you have a moment, please share your thoughts in this short Support Satisfaction survey.