Last Updated: 20 Apr 2021 14:09 by Stephane
Created on: 26 Jun 2020 22:29
Category: Kendo UI for jQuery
Type: Feature Request
Add ability to sanitize exported data in Excel spreadsheet to prevent formula-injection

When exporting data to an Excel spreadsheet, unsanitized data can be used to trigger a formula-injection attack. For example, a malicious user could embed a formula in a normal business object field (eg. description of a movie), then wait for a unsuspecting user to export the data to Excel. When the file is open in Excel and the cell is clicked, the formula is executed on the user machine, which can be used to do bad stuff (execute commands, exfiltrate data...). While latest versions of Excel has added a lot of warning when you open spreadsheet, it often recommend to open the file only if the user trusts the originating web site, which is normally the case.

One way to mitigate the issue is to prepend a single-quote to a value in Excel, which neutralize the formula and force the value to be interpreted as a string. The single quote is not shown in the Excel grid, but is visible in the formula bar. 

With Kendo UI for jQuery, we can modify the data on the fly to prepend a single-quote, which does neutralize formula, but the single quote is shown in the Excel grid. 

To obtain the same behavior as Excel, we need to use the quotePrefix cell format in Office Open Xml (see quotePrefix in this link).

Hence, I would like to have something similar to the following feature in Kendo UI ooxml module:


I think the effort would be minimal, and it will yield far better experience for users when server tries to overcome the fomula-injection problem.


Jonathan Fortier

Posted on: 20 Apr 2021 14:09
Yes, it would be nice to have a quotePrefix property for cells (or an option to prevent formula-injection). Currently, I didn't find how can I insert quotePrefix in my cell.
Ivan Danchev
Posted on: 01 Jul 2020 14:08

Hello ,

Thank you for posting this feature request. It is a valid suggestion, so we've made this thread public in our Feedback Portal:  https://feedback.telerik.com/kendo-jquery-ui/1473733-add-ability-to-sanitize-exported-data-in-excel-spreadsheet-to-prevent-formula-injection

This allows us to track the community's interest in specific features and plan their implementation accordingly. We would recommend casting your vote for it, since the more votes it gets the higher it goes in our priority queue.

Ivan Danchev
Progress Telerik

Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
Our thoughts here at Progress are with those affected by the outbreak.