Exported data can contain executable content (for example, =cmd|' /C calc'!'!A1'). Such content makes it possible to execute malicious commands, provided that a user opens a file in Microsoft Excel and confirms that the file can be loaded and commands executed.
Applies to: 19.1.7, 19.1.8, 19.2.2, 19.2.3, 19.2.4
To prevent possible security vulnerabilities, we automatically encode potentially dangerous content prior to exporting it to the CSV format. For example, formulas are encoded into simple data to prevent command execution when the exported file is opened in a different location.
This behavior is controlled by the following properties:
- at the control level: DevExpress.XtraPrinting.CsvExportOptions.EncodeExecutableContent
- at the application level: DevExpress.Export.ExportSettings.EncodeCsvExecutableContent
If you want to revert to the previous behavior, refer to the code samples below:
C#// ASP.NET Web Forms GridView
protected void ExportToCSVButton_Click(object sender, EventArgs e){
var options = new CsvExportOptionsEx();
options.EncodeExecutableContent = DefaultBoolean.False;
Grid.ExportCsvToResponse(options);
}
Visual Basic' ASP.NET Web Forms GridView
Protected Sub ExportToCSVButton_Click(ByVal sender As Object, ByVal e As EventArgs)
Dim options = New CsvExportOptionsEx()
options.EncodeExecutableContent = DefaultBoolean.[False]
Grid.ExportCsvToResponse(options)
End Sub
C#// ASP.NET
void Application_Start(object sender, EventArgs e) {
DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.False;
}
Visual Basic' ASP.NET
Private Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.[False]
End Sub
Applies to: 19.1.9 and higher, 19.2.5 and higher
We disabled automatic encoding in these versions, because it sometimes resulted in undesired data modification. Our controls regarded all values that start with “=”, “-”, “+”, “@”, or “” as potentially unsafe. This means that our algorithm transformed a string cell value [-20%] into ["""-20%"""] (added unnecessary characters).
Note that Microsoft Excel implements their own sophisticated algorithm for unsafe content detection. The application will warn you if it finds values with malicious commands within the document.
To enable encoding, set the following properties to true:
- at the control level: DevExpress.XtraPrinting.CsvExportOptions.EncodeExecutableContent
- at the application level: DevExpress.Export.ExportSettings.EncodeCsvExecutableContent
C#// ASP.NET Web Forms GridView
protected void ExportToCSVButton_Click(object sender, EventArgs e){
var options = new CsvExportOptionsEx();
options.EncodeExecutableContent = DefaultBoolean.True;
Grid.ExportCsvToResponse(options);
}
Visual Basic' ASP.NET Web Forms GridView
Protected Sub ExportToCSVButton_Click(ByVal sender As Object, ByVal e As EventArgs)
Dim options = New CsvExportOptionsEx()
options.EncodeExecutableContent = DefaultBoolean.[True]
Grid.ExportCsvToResponse(options)
End Sub
C#// ASP.NET
void Application_Start(object sender, EventArgs e) {
DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.True;
}
Visual Basic' ASP.NET
Private Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.[True]
End Sub