During a recent penetration test on our Blazor application that uses Telerik Blazor UI components, a security finding was reported regarding the possibility of Excel macro injection through exported Excel files generated via the Telerik Excel Export feature. 
We would like Telerik to implement built‑in safeguards to automatically neutralize potential macro injection vectors.

The penetration test revealed that it is currently possible to insert values beginning with Excel formula metacharacters—such as =, +, -, and @—into fields that are later exported using Telerik’s Excel Export functionality.
In older versions of Microsoft Excel, these values may be interpreted and executed as formulas when users open the exported file. Even though newer Excel versions often warn users, this still presents a security concern and may violate corporate export or data‑handling policies.

See also this blogpost: https://blog.securelayer7.net/how-to-perform-csv-excel-macro-injection/

The Telerik Excel Export functionality should include an option to automatically sanitize or escape values that may pose a risk of Excel macro or formula injection.
- Automatic escaping of formula-starting characters: Prepend a single quote (') to any exported value beginning with: '=', '+', '-', '@'.
- Optional configuration flag to enable/disable this behavior, for example: <GridExcelExportSettings EscapeFormulas="true" />

While we can implement a workaround in our own application code, we believe this is a security concern that many customers may encounter, and therefore a native solution within the Telerik framework would be highly valuable.

We kindly request that Telerik consider adding a built‑in mechanism to protect against Excel macro injection in exported files. This would improve security, reduce custom development work, and strengthen the reliability of Telerik’s Blazor export functionality.