Skip to main content
All docs
V24.1

Encode CSV Files to Reduce CSV Injection Risks

If you export data from ASP.NET Core DataGrid or PivotGrid in CSV format, your web app may be vulnerable to a CSV Injection Attack (also known as a formula injection attack).

A CSV Injection Attack involves the injection of harmful characters that act as a formula and are executed within a computer network. When executed, the malicious formula can manipulate/delete user data or provide unauthorized access to data/internal resources. Cell values that begin with =, +, -, and @ characters can initiate an injection attack.

Encode CSV files to prevent execution of potentially harmful code. Pass the encodeExecutableContent option as an argument of the configuration object (for exportDataGrid or exportPivotGrid functions):

@(Html.DevExtreme().DataGrid()
    // ...
    .Export(e => e
        .Enabled(true)
        .Formats(new[] { "csv" })
    )
    .OnExporting("exporting")
)

<script>
    function exporting(e) {
        var workbook = new ExcelJS.Workbook();
        var worksheet = workbook.addWorksheet('Employees');

        DevExpress.excelExporter.exportDataGrid({
            component: e.component,
            worksheet: worksheet,
            encodeExecutableContent: true
        }).then(function () {
            workbook.csv.writeBuffer().then(function (buffer) {
                saveAs(new Blob([buffer], { type: 'application/octet-stream' }), 'DataGrid.csv');
            });
        });
    }
</script>