Escape Excel formula (instance security hardening)
Use the glide.export.escape_formulas property to prevent Excel Injection, also, known as formula injection.
Excel injection occurs when websites embed untrusted entries inside Excel files. When you use a spreadsheet application such as Microsoft Excel, or LibreOffice Call, to open a file, any cells starting with +, -, =, or @ are interpreted as a formula. When you set the glide.export.escape_formulas property to true, string values starting with +, -, =, or @ are prepended with a single apostrophe when you export to CSV, XLS, or XLSX files.
More information
| Attribute | Description |
|---|---|
| Property name | glide.export.escape_formulas |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To prevent application against the Excel or formula injection. |
| Recommended value | true |
| Functional Impact | Maliciously crafted formulas can be used for hijacking the user's computer by exploiting vulnerabilities in the spreadsheet software. |
| Security risk | (Medium) Malicious formulae pose a risk even when the embedding spreadsheet doesn't contain any sensitive information, as they can be used to compromise the viewer's computer. |
| Workaround | As an alternative consider stripping all trailing white spaces where possible, and limiting all client-supplied data to alpha-numeric characters. |
| References | Available system properties |
To learn more about adding or creating a system property, see Add a system property.