Prevent formula injection in spreadsheet exports

Answer/candidate text starting with =, +, -, or @ was written to XLSX
exports as a live formula rather than plain text. Since seasons can
have multiple owners, a co-owner could plant a formula that runs (and
can exfiltrate data) when another owner opens the export in Excel.
This commit is contained in:
2026-07-13 09:31:14 +02:00
parent 4f3a6fbc89
commit cd293aa86f
7 changed files with 265 additions and 1 deletions
@@ -0,0 +1,31 @@
<?php
declare(strict_types=1);
namespace Tvdt\Helpers;
use PhpOffice\PhpSpreadsheet\Cell\Cell;
use PhpOffice\PhpSpreadsheet\Cell\DefaultValueBinder;
/**
* Stores any string that would otherwise be auto-detected as a spreadsheet formula (or that
* spreadsheet software re-interprets as one on open/paste) as plain text instead, to prevent
* formula injection via user-controlled export data (e.g. a candidate or answer named
* `=WEBSERVICE(...)`).
*/
final class FormulaInjectionSafeValueBinder extends DefaultValueBinder
{
private const string DANGEROUS_PREFIXES = "=+-@\t\r";
#[\Override]
public function bindValue(Cell $cell, mixed $value): bool
{
if (\is_string($value) && '' !== $value && str_contains(self::DANGEROUS_PREFIXES, $value[0])) {
$cell->setValueExplicit($value);
return true;
}
return parent::bindValue($cell, $value);
}
}