CsvOutputFormatter does not mitigate agains Spreadsheet Formula Injection #151
Description
As CSV files from web applications are frequently downloaded and then opened in Excel (or similar), consideration should be made for the possibility of Formula Injection (see here)
Mitigation would be to prefix with a single quote (') character wherever a value starts with equals ("="), plus ("+"), minus ("-"), at ("@") or percentage ("%") character
Suggest:
if (_val.Length > 0 && (new string[]{"=", "+". "-", "@", "%"}).Contains(_val.Substring(0,1)) _val = "'" + _val;
May be worth adding a boolean value (default true) to the CsvFormatterOptions to control this