WC_CSV_Exporter::escape_data()
Escape a string to be used in a CSV context
Malicious input can inject formulas into CSV files, opening up the possibility for phishing attacks and disclosure of sensitive information.
Additionally, Excel exposes the ability to launch arbitrary commands through the DDE protocol.
Method of the class: WC_CSV_Exporter{}
No Hooks.
Return
String
.
Usage
$WC_CSV_Exporter = new WC_CSV_Exporter(); $WC_CSV_Exporter->escape_data( $data );
- $data(string) (required)
- CSV field to escape.
Notes
Changelog
Since 3.1.0 | Introduced. |
WC_CSV_Exporter::escape_data() WC CSV Exporter::escape data code WC 9.4.2
public function escape_data( $data ) { // 0x09: Tab (\t) // 0x0d: Carriage Return (\r) $active_content_triggers = array( '=', '+', '-', '@', chr( 0x09 ), chr( 0x0d ) ); if ( in_array( mb_substr( $data, 0, 1 ), $active_content_triggers, true ) ) { $data = "'" . $data; } return $data; }