Skip to main content
All docs
V24.1

Prevent Against CSV Injection Attacks

  • 2 minutes to read

DevExpress Card View, Grid View, Pivot Grid, and Vertical Grid controls allow you to export data in CSV format. The exported file may contain content that spreadsheet software (such as Microsoft Excel) interprets as a formula. These formulas can execute shell commands when a user opens the file. For example, the following formula runs the Windows Calculator:

=cmd|' /C calc'!'!A1'

DevExpress Grid-like controls do not auto-encode executable content for the following reasons:

  • Microsoft Excel requires user permission to run executable content.
  • Encoding may unintentionally alter data, such as negative numbers or text values that start with the “=” character.

DevExpress ASP.NET Web Forms controls include a built-in mechanism to encode executable content. During CSV export operations, this mechanism encloses values that start with “=”, “-“, “+”, “@“, or “” in quote characters. You should enable executable content encoding to protect your application against CSV injection attacks such as CWE-74.

Encode Executable Content for All DevExpress Controls

Set the EncodeCsvExecutableContent property to True in the Global.asax file to enable encoding at the application level:

void Application_Start(object sender, EventArgs e) { 
    DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.True;
} 

Encode Executable Content for a Specific DevExpress Control

Set the EncodeExecutableContent property to true to enable content encoding for a specific control.

Built-in Export Commands

The following example encodes content once a user clicks the built-in export button in the DevExpress Grid View’s toolbar:

<dx:ASPxGridView ID="grid" runat="server" OnBeforeExport="grid_BeforeExport">
    <Toolbars>
        <dx:GridViewToolbar>
            <Items>
                <dx:GridViewToolbarItem Command="ExportToCsv" />
            </Items>
        </dx:GridViewToolbar>
    </Toolbars>
    <Columns>
        <!-- ... -->
    </Columns>
    <SettingsExport EnableClientSideExportAPI="true" ExcelExportMode="WYSIWYG" />
</dx:ASPxGridView>
using DevExpress.XtraPrinting;

protected void grid_BeforeExport(object sender, DevExpress.Web.ASPxGridBeforeExportEventArgs e) {
    if (e.ExportOptions is CsvExportOptions)
        (e.ExportOptions as CsvExportOptions).EncodeExecutableContent = DefaultBoolean.True;
}
Custom Export Commands

If you call the ExportToCsv or ExportCsvToResponse method, encode executable content as follows:

<dx:ASPxButton ID="button" runat="server" Text="Export to CSV" OnClick="button_Click" />
<dx:ASPxGridView ID="grid" runat="server">
    <Columns>
        <!-- ... -->
    </Columns>
</dx:ASPxGridView>
protected void button_Click(object sender, EventArgs e) {
    var options = new DevExpress.XtraPrinting.CsvExportOptions();
    options.EncodeExecutableContent = DefaultBoolean.True;
    grid.ExportCsvToResponse(options);
}
See Also