Merge pull request #3582 from InosRahul/fix/negative-num-serialization

fix(clipboard): Handle negative numbers in TSV serialization for copy
mathesar-foundation · May 14, 2024 · b585502 · b585502
2 parents b30fcc6 + e9d7ceb
commit b585502
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/mathesar_ui/src/components/sheet/SheetClipboardHandler.ts b/mathesar_ui/src/components/sheet/SheetClipboardHandler.ts
@@ -62,7 +62,19 @@ function getFormattedCellValue<
 function serializeTsv(data: string[][]): string {
   return Papa.unparse(data, {
     delimiter: '\t',
-    escapeFormulae: true,
+    // From the [Papa Parse][1] library, `escapeFormulae` helps defend against
+    // formula [injection attacks][2]. We modify the default value though
+    // because it [didn't work][3] for negative numbers. We're supplying our own
+    // regex that uses the default behavior plus special handling for negative
+    // numbers. It doesn't escape negative numbers because they are valid. But
+    // it does escape anything else that begins with a hyphen.
+    //
+    // [1]: https://www.papaparse.com/docs
+    //
+    // [2]: https://owasp.org/www-community/attacks/CSV_Injection
+    //
+    // [3]: https://github.com/mathesar-foundation/mathesar/issues/3576
+    escapeFormulae: /^=|^\+|^@|^\t|^\r|^-(?!\d+(\.\d+)?$)/,
   });
 }