minor #61951 [Serializer] Escape values starting with line feed when using csv_escape_formulas (Peter Mead)

nicolas-grekas · nicolas-grekas · commit 243490799fc9 · 2025-10-16T18:08:39.000+02:00
This PR was merged into the 7.4 branch. Discussion ---------- [Serializer] Escape values starting with line feed when using `csv_escape_formulas` | Q | A | ------------- | --- | Branch? | 7.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Issues | | License | MIT Change `CsvEncoder` so that it follows the latest OWASP guidelines on CSV injection. When escape formulas is enabled it will escape values starting with a line feed. This is in addition other the other starting characters of equals, plus, minus, at sign, tab, and carriage return. [OWASP: CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection) Commits ------- d544c8737a0 [Serializer] CsvEncoder to escape values starting with line feed when escape formulas is enabled
diff --git a/Encoder/CsvEncoder.php b/Encoder/CsvEncoder.php
@@ -39,7 +39,7 @@ class CsvEncoder implements EncoderInterface, DecoderInterface
 
     private const UTF8_BOM = "\xEF\xBB\xBF";
 
-    private const FORMULAS_START_CHARACTERS = ['=', '-', '+', '@', "\t", "\r"];
+    private const FORMULAS_START_CHARACTERS = ['=', '-', '+', '@', "\t", "\r", "\n"];
 
     private array $defaultContext = [
         self::DELIMITER_KEY => ',',
diff --git a/Tests/Encoder/CsvEncoderTest.php b/Tests/Encoder/CsvEncoderTest.php
@@ -310,6 +310,15 @@ public function testEncodeFormulas()
             $this->encoder->encode(["\ttab"], 'csv')
         );
 
+        $this->assertSame(<<<'CSV'
+            0
+            "'
+            line feed"
+
+            CSV,
+            $this->encoder->encode(["\nline feed"], 'csv')
+        );
+
         $this->assertSame(<<<'CSV'
             0
             "'=1+2"";=1+2"
@@ -438,6 +447,17 @@ public function testEncodeFormulasWithSettingsPassedInContext()
             ])
         );
 
+        $this->assertSame(<<<'CSV'
+            0
+            "'
+            line feed"
+
+            CSV,
+            $this->encoder->encode(["\nline feed"], 'csv', [
+                CsvEncoder::ESCAPE_FORMULAS_KEY => true,
+            ])
+        );
+
         $this->assertSame(<<<'CSV'
             0
             "'=1+2"";=1+2"
