Ilia Denisov
461e330bfc
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 8s
CI / integration (pull_request) Successful in 13s
CI / ui (pull_request) Successful in 33s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m15s
The sender name and message body are user-controlled; a leading =, +, -, @, tab or CR in the CSV export would execute as a formula when a moderator opens it in a spreadsheet. csvSafe() prefixes such values with a single quote. Unit-tested.
26 lines
695 B
Go
26 lines
695 B
Go
package server
|
|
|
|
import "testing"
|
|
|
|
// TestCSVSafe checks the CSV/spreadsheet formula-injection guard used by the admin Messages
|
|
// export: a leading formula trigger is quoted, everything else is left intact.
|
|
func TestCSVSafe(t *testing.T) {
|
|
tests := []struct{ in, want string }{
|
|
{"", ""},
|
|
{"hello", "hello"},
|
|
{"=1+1", "'=1+1"},
|
|
{"+cmd", "'+cmd"},
|
|
{"-2", "'-2"},
|
|
{"@SUM(A1)", "'@SUM(A1)"},
|
|
{"\tx", "'\tx"},
|
|
{"\rx", "'\rx"},
|
|
{"good luck", "good luck"},
|
|
{"a=b", "a=b"}, // a formula char that is not leading must be left untouched
|
|
}
|
|
for _, tc := range tests {
|
|
if got := csvSafe(tc.in); got != tc.want {
|
|
t.Errorf("csvSafe(%q) = %q, want %q", tc.in, got, tc.want)
|
|
}
|
|
}
|
|
}
|