When exporting data to an Excel spreadsheet, unsanitized data can be used to trigger a formula-injection attack. For example, a malicious user could embed a formula in a normal business object field (eg. description of a movie), then wait for a unsuspecting user to export the data to Excel. When the file is open in Excel and the cell is clicked, the formula is executed on the user machine, which can be used to do bad stuff (execute commands, exfiltrate data...). While latest versions of Excel has added a lot of warning when you open spreadsheet, it often recommend to open the file only if the user trusts the originating web site, which is normally the case.

One way to mitigate the issue is to prepend a single-quote to a value in Excel, which neutralize the formula and force the value to be interpreted as a string. The single quote is not shown in the Excel grid, but is visible in the formula bar. 

With Kendo UI for jQuery, we can modify the data on the fly to prepend a single-quote, which does neutralize formula, but the single quote is shown in the Excel grid. 

To obtain the same behavior as Excel, we need to use the quotePrefix cell format in Office Open Xml (see quotePrefix in this link).

Hence, I would like to have something similar to the following feature in Kendo UI ooxml module:

• Add a property to cells (https://docs.telerik.com/kendo-ui/api/javascript/ooxml/workbook/configuration/sheets.rows.cells), similar to other styles (italic, wrap...), called quotePrefix, that takes a boolean value (default=false)
• When that property is 'true', add 'quotePrefix="1"' to the cell style in the generated OpenXML spreadsheet (inside "cellXfs / xf" elements)

I think the effort would be minimal, and it will yield far better experience for users when server tries to overcome the fomula-injection problem.

Thanks,

Jonathan Fortier