Merge pull request #447 from bugcrowd/CSV-Injection

updates to rec for CSV Injection
bugcrowd · May 15, 2024 · 70c0c7f · 70c0c7f
2 parents b93aae0 + 3ddb369
commit 70c0c7f
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/submissions/description/external_behavior/csv_injection/recommendations.md b/submissions/description/external_behavior/csv_injection/recommendations.md
@@ -1,6 +1,7 @@
 # Recommendation(s)
 
-It is recommended to sanitize the input fields of CSVs so that the content is read as text only by the spreadsheet editor
+It is recommended to validate and sanitize the input fields of CSVs so that the content is read as text only by the spreadsheet editor. The appropriate content type should also be set in the response header when serving CSV files. For example, `Content-Type: text/csv`.
+Additionally, dynamic formula injection can be prevented by not allowing user-supplied input to be directly interpreted as a calculation or formula. This can be achieved by removing the functionality, or implementing a separate mechanism that handles the user input securely.
 
 For more information, please see: