Commit 41c7d6ba authored by KR Moorhouse's avatar KR Moorhouse

Merge branch 'csv-injection-fix' into 'develop'

added @, +, and - to list of first characters to check for

See merge request ninja-forms/ninja-forms!3658
parents ba1b09fe 7d1bacc4
......@@ -27,10 +27,28 @@ class NF_Fields_Textarea extends NF_Abstracts_Input
$this->_settings[ 'default' ][ 'type' ] = 'textarea';
$this->_settings[ 'placeholder' ][ 'type' ] = 'textarea';
add_filter( 'ninja_forms_subs_export_field_value_' . $this->_name, array( $this, 'filter_csv_value' ), 10, 2 );
}
public function admin_form_element( $id, $value )
{
return "<textarea class='widefat' name='fields[$id]'>$value</textarea>";
}
public function filter_csv_value( $field_value, $field ) {
/*
* sanitize this in case someone tries to inject data that runs in
* Excel and similar apps
* */
if( 0 < strlen($field_value ) ) {
$first_char = substr( $field_value, 0, 1 );
if( in_array( $first_char, array( '=', '@', '+', '-' ) ) ) {
return "'" . $field_value;
}
}
return $field_value;
}
}
......@@ -42,8 +42,11 @@ class NF_Fields_Textbox extends NF_Abstracts_Input
* sanitize this in case someone tries to inject data that runs in
* Excel and similar apps
* */
if( strpos( $field_value, '=' ) === 0 ) {
return "'" . $field_value;
if( 0 < strlen($field_value ) ) {
$first_char = substr( $field_value, 0, 1 );
if( in_array( $first_char, array( '=', '@', '+', '-' ) ) ) {
return "'" . $field_value;
}
}
return $field_value;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment