WordPress.org

Making WordPress.org

Changeset 3799


Ignore:
Timestamp:
08/10/2016 06:19:04 PM (4 years ago)
Author:
iandunn
Message:

WordCamp Helpers: Add esc_csv() to escape strings in CSV context.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/mu-plugins/helper-functions.php

    r3749 r3799  
    195195    return WordCamp_Budgets::get_valid_countries_iso3166();
    196196}
     197
     198/**
     199 * Escape a string to be used in a CSV context
     200 *
     201 * Malicious input can inject formulas into CSV files, opening up the possibility for phishing attacks,
     202 * information disclosure, and arbitrary command execution.
     203 *
     204 * @see http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
     205 * @see https://hackerone.com/reports/72785
     206 *
     207 * @param array $fields
     208 *
     209 * @return array
     210 */
     211function wcorg_esc_csv( $fields ) {
     212    $active_content_triggers = array( '=', '+', '-', '@' );
     213
     214    foreach( $fields as $index => $field ) {
     215        if ( in_array( mb_substr( $field, 0, 1 ), $active_content_triggers, true ) ) {
     216            $fields[ $index ] = "'" . $field;
     217        }
     218    }
     219
     220    return $fields;
     221}
Note: See TracChangeset for help on using the changeset viewer.