Browse Source

Updated PapaParse config to prevent CSV injection.

I've updated the PapaParse JS library to the latest version from the master branch which supports the `escapeForumlae` option in order to prevent malicious event entries from being parsed and executed by the Gophish user's spreadsheet software.

When a new PapaParse release is created, I'll update this code to use the updated minified file.
pull/1914/head
Jordan Wright 1 year ago
parent
commit
b25f5ac5e4
4 changed files with 1938 additions and 9 deletions
  1. +1
    -1
      static/js/dist/app/campaign_results.min.js
  2. +1
    -1
      static/js/dist/vendor.min.js
  3. +3
    -1
      static/js/src/app/campaign_results.js
  4. +1933
    -6
      static/js/src/vendor/papaparse.min.js

+ 1
- 1
static/js/dist/app/campaign_results.min.js
File diff suppressed because it is too large
View File


+ 1
- 1
static/js/dist/vendor.min.js
File diff suppressed because it is too large
View File


+ 3
- 1
static/js/src/app/campaign_results.js View File

@ -216,7 +216,9 @@ function exportAsCSV(scope) {
return
}
$("#exportButton").html('<i class="fa fa-spinner fa-spin"></i>')
var csvString = Papa.unparse(csvScope, {})
var csvString = Papa.unparse(csvScope, {
'escapeFormulae': true
})
var csvData = new Blob([csvString], {
type: 'text/csv;charset=utf-8;'
});

+ 1933
- 6
static/js/src/vendor/papaparse.min.js
File diff suppressed because it is too large
View File


Loading…
Cancel
Save