Updated PapaParse config to prevent CSV injection.

I've updated the PapaParse JS library to the latest version from the master branch which supports the `escapeForumlae` option in order to prevent malicious event entries from being parsed and executed by the Gophish user's spreadsheet software.

When a new PapaParse release is created, I'll update this code to use the updated minified file.
pull/1914/head
Jordan Wright 2020-07-24 22:44:24 -05:00
parent 4e9b94b641
commit b25f5ac5e4
4 changed files with 1938 additions and 9 deletions

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -216,7 +216,9 @@ function exportAsCSV(scope) {
return
}
$("#exportButton").html('<i class="fa fa-spinner fa-spin"></i>')
var csvString = Papa.unparse(csvScope, {})
var csvString = Papa.unparse(csvScope, {
'escapeFormulae': true
})
var csvData = new Blob([csvString], {
type: 'text/csv;charset=utf-8;'
});

File diff suppressed because one or more lines are too long