DEV Community

Cover image for Security: Released  npm package πŸ“¦  for  Protecting CSV Injection  πŸš€
Shahjada Talukdar for The Destro Dev Show

Posted on

Security: Released npm package πŸ“¦ for Protecting CSV Injection πŸš€

We can not ignore Security on the Web. Security Vulnerability can impact your application and users which might eventually destroy your company!

As Web/Software Engineers, we should care about Security as much we care about our code.

There are different kinds of injection attacks available.

I was working with CSVs and then thought to use any available CSV injection protector package from npmjs. But I was surprised that I could not find what I needed.

So I thought to develop and release a package(CSV injection protector) for me and all of us.

First, let's see what is CSV injection-

CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files.

To learn more about CSV Injection, please have a look here πŸ‘‰OWASP doc on CSV Injection

I am presenting a tiny and useful package for protecting your application from CSV Injections called csv-injection-protector πŸŽ‰

(And it's always hard to come up with a good name I know πŸ˜‰)

Why use this pacakge?

If you have any Input Field and that data goes to the Database in the backend and you generate CSV files with it, then you SHOULD think about CSV injection.

Probably, the string went to your DB is injected. They can execute any operation in the cell and also your CSV file can be corrupted and you can not open that.

It can be sanitized so that string is okay for the CSV.

How to use


npm i csv-injection-protector
Enter fullscreen mode Exit fullscreen mode

Then use in your code like below:

const riskyString = "=Risky string for CSV";
const sanitizedString = csvInjectionProtector(riskyString);
console.log(sanitizedString); // "Risky string for CSV"
Enter fullscreen mode Exit fullscreen mode

Voila πŸš€

It's super simple!

I also showed a demo of this package. Please check out the YouTube video-

Please check πŸ‘‰

Use it and let me know if you find any issues. Also if you have any suggestions, PRs are welcome πŸ™Œ


As I am trying to contribute contents on the Web, you can buy me a coffee for my hours spent on all of these ❀️😊🌸
Buy Me A Coffee

Photo byΒ Sara BakhshiΒ onΒ Unsplash

Top comments (1)

lkaratun profile image
Lev Karatun • Edited

I checked out your package and it doesn't seem like you're checking for this case:

Keep in mind that it is not sufficient to make sure that the untrusted user input does not start with these characters. You also need to take care of the field separator (e.g., β€˜,’, or β€˜;’) and quotes (e.g., ', or "), as attackers could use this to start a new cell and then have the dangerous character in the middle of the user input, but at the beginning of a cell.