I am trying to secure my application preventing CSV injection. The vulnerability applies when the user downloads a CSV export file.
The way I deal with it now is removing the characters: = + - @
https://owasp.org/www-community/attacks/CSV_Injection
The problem is that I have on the database a 'Description' field that includes URLs inside. If I check if the characters exist and escape the characters it will break also the URLs.
Is there a way to deal with this problem maybe via Regex?
Example:
Description = "This is a big description......https://url.com......=10+20+cmd|' /C calc'!A0....";
Expected behavior:
As the page you cite states (emphasis mine):
To remediate it, ensure that no cells begin with any of the following characters:
In other words, you don't have to remove all of those characters, only when they stand at the start of a value. And that should not happen very often with real-world data.