Skip to main content
BuyLog In
ASP.NET Web Forms Controls
Search in…
Docs > Security Considerations > Prevent Against CSV Injection Attacks
All docs
V24.2
ASP.NET Web Forms Controls
.NET Support and Migration
Prerequisites
Supported Browsers
What's Installed
Get Started
Upgrade to a New Version
Common Concepts
Components
Security Considerations
HTML Encoding
Callback State Encryption
View State Encryption
Validate User Input
Secure File Upload
Prevent CSRF Attacks
Prevent Against CSV Injection Attacks
Prevent Exposure of Sensitive Information
Redistribution and Deployment
Troubleshooting
Get More Help
.NET Framework API Reference
Client API Reference
Download CHM

Prevent Against CSV Injection Attacks

  • 2 minutes to read

DevExpress Card View, Grid View, Pivot Grid, and Vertical Grid controls allow you to export data in CSV format. The exported file may contain content that spreadsheet software (such as Microsoft Excel) interprets as a formula. These formulas can execute shell commands when a user opens the file. For example, the following formula runs the Windows Calculator:

=cmd|' /C calc'!'!A1'

DevExpress Grid-like controls do not auto-encode executable content for the following reasons:

  • Microsoft Excel requires user permission to run executable content.
  • Encoding may unintentionally alter data, such as negative numbers or text values that start with the “=” character.

DevExpress ASP.NET Web Forms controls include a built-in mechanism to encode executable content. During CSV export operations, this mechanism encloses values that start with “=”, “-“, “+”, “@“, or “” in quote characters. You should enable executable content encoding to protect your application against CSV injection attacks such as CWE-74.

Encode Executable Content for All DevExpress Controls

Set the EncodeCsvExecutableContent property to True in the Global.asax file to enable encoding at the application level:

void Application_Start(object sender, EventArgs e) { 
    DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.True;
}

Encode Executable Content for a Specific DevExpress Control

Set the EncodeExecutableContent property to true to enable content encoding for a specific control.

Built-in Export Commands

The following example encodes content once a user clicks the built-in export button in the DevExpress Grid View’s toolbar:

<dx:ASPxGridView ID="grid" runat="server" OnBeforeExport="grid_BeforeExport">
    <Toolbars>
        <dx:GridViewToolbar>
            <Items>
                <dx:GridViewToolbarItem Command="ExportToCsv" />
            </Items>
        </dx:GridViewToolbar>
    </Toolbars>
    <Columns>
        <!-- ... -->
    </Columns>
    <SettingsExport EnableClientSideExportAPI="true" ExcelExportMode="WYSIWYG" />
</dx:ASPxGridView>

using DevExpress.XtraPrinting;

protected void grid_BeforeExport(object sender, DevExpress.Web.ASPxGridBeforeExportEventArgs e) {
    if (e.ExportOptions is CsvExportOptions)
        (e.ExportOptions as CsvExportOptions).EncodeExecutableContent = DefaultBoolean.True;
}
Custom Export Commands

If you call the ExportToCsv or ExportCsvToResponse method, encode executable content as follows:

<dx:ASPxButton ID="button" runat="server" Text="Export to CSV" OnClick="button_Click" />
<dx:ASPxGridView ID="grid" runat="server">
    <Columns>
        <!-- ... -->
    </Columns>
</dx:ASPxGridView>

protected void button_Click(object sender, EventArgs e) {
    var options = new DevExpress.XtraPrinting.CsvExportOptions();
    options.EncodeExecutableContent = DefaultBoolean.True;
    grid.ExportCsvToResponse(options);
}
See Also