Suggested CSV Injection mitigation does not survive saving and re-opening in Excel

[xxgreg]

https://github.com/OWASP/www-community/blob/master/pages/attacks/CSV_Injection.md

Excel is commonly used to edit CSV files. Unfortunately when saving CSVs Excel strips out some of the characters which are inserted to prevent the CSV injection. This is unfortunate behaviour from Excel, and should really be fixed there, but I'd like to be able to prevent formulas from being inserted into CSVs and run on my user's computers.

For most outputs it's possible to completely disallow cells starting with "=", and "@", irrespective of quoting. But "-" is obviously required for numbers.

One suggestion for solving this is inserting an extra tab character, which prevents Excel from removing the quotes.

http://georgemauer.net/2017/10/07/csv-injection.html

Reproduction:

Consider the following CSV:

a,b
,"'=1+2"

Open the CSV, focus on the cell with the formula, and then move the focus away. Save the CSV, it is saved as:

a,b
,=1+2

Open the CSV again, the formula is executed and "3" is shown in the cell.

[pepe-invest-git]

---

layout: col-sidebar
title: "My Page"
author: "My Name"
contributors: ["Additional Contributor Names", "If Any"]
permalink: /MyPageTitle
tags: ["attack", "XSS"]

---

{% include writers.html %}

Write your content here!

[kingthorin]

@pepe-invest-git please stop making random useless posts.

[prasunsrivastav123-lang]

Hi, I was able to reproduce this behavior in Excel — quoted formula cells get rewritten on save and execute again when re-opened.

Issue:

The current CSV Injection guidance suggests quoting / prefixing with ', but this does not survive Excel save → reopen, which makes the mitigation unreliable in real-world workflows.

Proposed Fix:

Update the mitigation section to explicitly document Excel’s behavior (quotes being stripped).

Add a stronger mitigation: prefixing formula-triggering cells (=, +, -, @) with a tab character (\t) inside quotes, which survives save/reopen and prevents execution.

Clearly document trade-offs (visual-only safety vs interchange safety) with a short example.

I’m happy to open a PR with a minimal, focused update if this approach sounds acceptable. Please let me know if I can take this one 👍