WC_CSV_Exporter::escape_data │ public │ WC 3.1.0

Escape a string to be used in a CSV context

Malicious input can inject formulas into CSV files, opening up the possibility for phishing attacks and disclosure of sensitive information.

Additionally, Excel exposes the ability to launch arbitrary commands through the DDE protocol.

Number values are not escaped since a pure numeric value cannot form a valid formula to be injected. This preserves negative numeric values (e.g. -42) as numbers in the CSV output.

Method of the class: WC_CSV_Exporter{}

No Hooks.

Returns

String.

Usage

$WC_CSV_Exporter = new WC_CSV_Exporter();
$WC_CSV_Exporter->escape_data( $data );

$data(string) (required): CSV field to escape.

Notes

Changelog

Since 3.1.0

Introduced.

`WC_CSV_Exporter::escape_data() WC CSV Exporter::escape data` code ^{WC 10.5.0}

woocommerce/includes/export/abstract-wc-csv-exporter.php

public function escape_data( $data ) {
	// 0x09: Tab (\t)
	// 0x0d: Carriage Return (\r)
	$active_content_triggers = array( '=', '+', '-', '@', chr( 0x09 ), chr( 0x0d ) );

	// Don't escape pure numeric values since they cannot form a valid formula to be injected.
	if ( is_int( $data ) || is_float( $data ) ) {
		return $data;
	}

	if ( in_array( mb_substr( $data, 0, 1 ), $active_content_triggers, true ) ) {
		$data = "'" . $data;
	}

	return $data;
}