Changeset 3799

Timestamp:

08/10/2016 06:19:04 PM (7 years ago)

Author:

iandunn

Message:

WordCamp Helpers: Add esc_csv() to escape strings in CSV context.

File:

• sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/helper-functions.php (modified) (1 diff)

sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/helper-functions.php

@@ -195 +195 @@
     return WordCamp_Budgets::get_valid_countries_iso3166();
 }
+
+/**
+ * Escape a string to be used in a CSV context
+ *
+ * Malicious input can inject formulas into CSV files, opening up the possibility for phishing attacks,
+ * information disclosure, and arbitrary command execution.
+ *
+ * @see http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
+ * @see https://hackerone.com/reports/72785
+ *
+ * @param array $fields
+ *
+ * @return array
+ */
+function wcorg_esc_csv( $fields ) {
+    $active_content_triggers = array( '=', '+', '-', '@' );
+
+    foreach( $fields as $index => $field ) {
+        if ( in_array( mb_substr( $field, 0, 1 ), $active_content_triggers, true ) ) {
+            $fields[ $index ] = "'" . $field;
+        }
+    }
+
+    return $fields;
+}