Setting quotePrefix flag

Andrey

unread,

Jun 7, 2018, 10:47:23 AM6/7/18

to openpyxl-users

Hello!

Security audit in my current project pointed out that during an Excel report generation all cell values starting with '=', '@', '-', '+' etc. must be escaped with a single quote to prevent evaluation of potentially malicious formulas. To achieve the desired result I need to set quotePrefix flag on cells that need to be escaped. The Cell class has quotePrefix property, which I can read. But I haven't find any public interface to set this flag when writing a workbook.

Any suggestions?

Thanks in advance

Charlie Clark

unread,

Jun 7, 2018, 10:54:33 AM6/7/18

to openpyx...@googlegroups.com

Am .06.2018, 16:47 Uhr, schrieb Andrey <andrene...@gmail.com>:

> Any suggestions?

Thanks for the explanation. The flag would probably have to be added to
openpyxl somehow either in general for StyleableObject or perhaps just for
formulae.

A PR with an extensive description of the requirement (the specification
is pretty vague) would be welcome. I remember seeing a question on
StackOverflow recently about this.

Charlie
--
Charlie Clark
Managing Director
Clark Consulting & Research
German Office
Kronenstr. 27a
Düsseldorf
D- 40217
Tel: +49-211-600-3657
Mobile: +49-178-782-6226

Andrey

unread,

Jun 7, 2018, 12:21:57 PM6/7/18

to openpyxl-users

Thank you!

четверг, 7 июня 2018 г., 17:54:33 UTC+3 пользователь Charlie Clark написал:

Reply all

Reply to author

Forward