Skip to main content
BuyLog In
ASP.NET Core Controls
Search in…
Docs > Security Considerations > Reduce CSV Injection Risks
All docs
V23.2
ASP.NET Core Controls
Prerequisites and Installation
Supported Browsers
Demos and Sample Apps
DevExtreme-Based Controls
Reporting
Query Builder
Rich Text Editor
Spreadsheet
Security Considerations
Content Security Policy
Reduce CSV Injection Risks
Prevent Cross-Site Scripting Attacks
Troubleshooting
Web Dashboard
API Reference
Client API Reference
Download CHM

Encode CSV Files to Reduce CSV Injection Risks

If you export data from ASP.NET Core DataGrid or PivotGrid in CSV format, your web app may be vulnerable to a CSV Injection Attack (also known as a formula injection attack).

A CSV Injection Attack involves the injection of harmful characters that act as a formula and are executed within a computer network. When executed, the malicious formula can manipulate/delete user data or provide unauthorized access to data/internal resources. Cell values that begin with =, +, -, and @ characters can initiate an injection attack.

Encode CSV files to prevent execution of potentially harmful code. Pass the encodeExecutableContent option as an argument of the configuration object (for exportDataGrid or exportPivotGrid functions):

@(Html.DevExtreme().DataGrid()
    // ...
    .Export(e => e
        .Enabled(true)
        .Formats(new[] { "csv" })
    )
    .OnExporting("exporting")
)

<script>
    function exporting(e) {
        var workbook = new ExcelJS.Workbook();
        var worksheet = workbook.addWorksheet('Employees');

        DevExpress.excelExporter.exportDataGrid({
            component: e.component,
            worksheet: worksheet,
            encodeExecutableContent: true
        }).then(function () {
            workbook.csv.writeBuffer().then(function (buffer) {
                saveAs(new Blob([buffer], { type: 'application/octet-stream' }), 'DataGrid.csv');
            });
        });
    }
</script>