What Is Excel Injection?
Excel injection occurs when a CSV or Excel file is crafted to contain control characters in a cell which run a command when the file is opened. When a cell starts with =, +, or – in a string field, Excel can be made to launch executable files or visit a webpage. As an example, putting the string =cmd|' /C calc'!A0
will launch the calculator app on Windows when the sheet is opened and the user confirms to trust the source of the file.
What are the risks?
Through injection, Excel can be made to open arbitrary programs or visit malicious URLs. A warning does pop up telling the user about the risks, but it may be ignored because it asks whether you trust the source of the file.
How can I prevent it?
To prevent injection attacks, you need to sanitize the inputs. Make sure any Excel special characters at the start of a cell are escaped using a single '
quotation mark (so e.g. =
becomes '=
).