[Libreoffice-bugs] [Bug 114878] Add option to CSV import to disable formula injection

Mon May 31 06:48:56 UTC 2021

https://bugs.documentfoundation.org/show_bug.cgi?id=114878

--- Comment #14 from Martin Häcker <spamfaenger at gmx.de> ---
Right now the import dialog shows the formulas un-evaluated, while later in the
document they are. There should be at leas the option for the user to get the
formulas as data in the actual spreadsheet after import - just like they are
shown in the preview.

I think this especially important because especially knowledgeable developers,
who are thorough and have actually read the CSV RFC which states: 

> CSV files contain passive text data

Also there is no reliably way to build a CSV export file that works reliably as
a data interchange format between applications and as a data format that can be
imported into Spreadsheet software at the same time.

To quote <http://georgemauer.net/2017/10/07/csv-injection.html> 

-- snip --
The nasty end result is that when generating the csv export you must know how
the export is to be used.

If it is to be used in a spreadsheet application by a user to calculate things
visually, you should escape things with a tab. This is actually even more
important since you wouldn’t want the string “-2+3” in a programming language
appearing as 1 when exported to a spreadsheet.
If it is to be used as an interchange format then do not escape anything.
If you do not know or if it is to be used in a spreadsheet application or then
later that spreadsheet will be used as an import source for software, give up,
swear off the world, get yourself a cabin with the woods and maybe try being
friends with squirrels for a while. (Alternately, use Excel but always
disconnect from the network and follow all security prompts while doing any
work) (Edit: That probably won’t work 100% either since someone can still use a
macro to overwrite well known files with their own binary. Shit.).
It’s a nightmare of a scenario, it’s sinister, damaging, and with no clear
solution. Its also something that should be far far better known than it
currently is.
-- snap --

There should at least be support in Libre Office to allow one CSV formatted
file to be used unchanged in all of those contexts and allow it's use as a data
interchange format - just as it is meant to be.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20210531/4a76637d/attachment-0001.htm>