Skip to main content
All docs
V24.2

DevExpress v24.2 Update — Your Feedback Matters

Our What's New in v24.2 webpage includes product-specific surveys. Your response to our survey questions will help us measure product satisfaction for features released in this major update and help us refine our plans for our next major release.

Take the survey Not interested

Encode CSV Files to Reduce CSV Injection Risks

If you export data from ASP.NET Core DataGrid or PivotGrid in CSV format, your web app may be vulnerable to a CSV Injection Attack (also known as a formula injection attack).

A CSV Injection Attack involves the injection of harmful characters that act as a formula and are executed within a computer network. When executed, the malicious formula can manipulate/delete user data or provide unauthorized access to data/internal resources. Cell values that begin with =, +, -, and @ characters can initiate an injection attack.

Encode CSV files to prevent execution of potentially harmful code. Pass the encodeExecutableContent option as an argument of the configuration object (for exportDataGrid or exportPivotGrid functions):

cshtml
@(Html.DevExtreme().DataGrid()
    // ...
    .Export(e => e
        .Enabled(true)
        .Formats(new[] { "csv" })
    )
    .OnExporting("exporting")
)

<script>
    function exporting(e) {
        var workbook = new ExcelJS.Workbook();
        var worksheet = workbook.addWorksheet('Employees');

        DevExpress.excelExporter.exportDataGrid({
            component: e.component,
            worksheet: worksheet,
            encodeExecutableContent: true
        }).then(function () {
            workbook.csv.writeBuffer().then(function (buffer) {
                saveAs(new Blob([buffer], { type: 'application/octet-stream' }), 'DataGrid.csv');
            });
        });
    }
</script>