force quote when escapeFormulae is used (OWASP recommandation)

3 years ago · 84a957167f
2 changed files with 7 additions and 3 deletions
--- a/papaparse.js
+++ b/papaparse.js
@ -444,13 +444,17 @@ License: MIT
				@@ -444,13 +444,17 @@ License: MIT
 			if (str.constructor === Date)
 				return JSON.stringify(str).slice(1, 25);

+			var needsQuotes = false;
+
 			if (_escapeFormulae && typeof str === "string" && _escapeFormulae.test(str)) {
 				str = "'" + str;
+				needsQuotes = true;
 			}

 			var escapedQuoteStr = str.toString().replace(quoteCharRegex, _escapedQuote);

-			var needsQuotes = (typeof _quotes === 'boolean' && _quotes)
+			needsQuotes = needsQuotes
+							|| _quotes === true
 							|| (typeof _quotes === 'function' && _quotes(str, col))
 							|| (Array.isArray(_quotes) && _quotes[col])
 							|| hasAny(escapedQuoteStr, Papa.BAD_DELIMITERS)
--- a/tests/test-cases.js
+++ b/tests/test-cases.js
@ -1881,7 +1881,7 @@ var UNPARSE_TESTS = [
				@@ -1881,7 +1881,7 @@ var UNPARSE_TESTS = [
 		description: "Escape formulae",
 		input: [{ "Col1": "=danger", "Col2": "@danger", "Col3": "safe" }, { "Col1": "safe=safe", "Col2": "+danger", "Col3": "-danger, danger" }, { "Col1": "'+safe", "Col2": "'@safe", "Col3": "safe, safe" }, { "Col1": "\tdanger", "Col2": "\rdanger,", "Col3": "safe\t\r" }],
 		config: { escapeFormulae: true },
-		expected: 'Col1,Col2,Col3\r\n\'=danger,\'@danger,safe\r\nsafe=safe,\'+danger,"\'-danger, danger"\r\n\'+safe,\'@safe,"safe, safe"\r\n\'\tdanger,"\'\rdanger,","safe\t\r"'
+		expected: 'Col1,Col2,Col3\r\n"\'=danger","\'@danger",safe\r\nsafe=safe,"\'+danger","\'-danger, danger"\r\n\'+safe,\'@safe,"safe, safe"\r\n"\'\tdanger","\'\rdanger,","safe\t\r"'
 	},
 	{
 		description: "Don't escape formulae by default",
@ -1898,7 +1898,7 @@ var UNPARSE_TESTS = [
				@@ -1898,7 +1898,7 @@ var UNPARSE_TESTS = [
 		description: "Escape formulae with single-quote quoteChar and escapeChar",
 		input: [{ "Col1": "=danger", "Col2": "@danger", "Col3": "safe" }, { "Col1": "safe=safe", "Col2": "+danger", "Col3": "-danger, danger" }, { "Col1": "'+safe", "Col2": "'@safe", "Col3": "safe, safe" }, { "Col1": "	danger", "Col2": "\rdanger,", "Col3": "safe, \t\r" }],
 		config: { escapeFormulae: true, quoteChar: "'", escapeChar: "'" },
-		expected: 'Col1,Col2,Col3\r\n\'\'=danger,\'\'@danger,safe\r\nsafe=safe,\'\'+danger,\'\'\'-danger, danger\'\r\n\'\'+safe,\'\'@safe,\'safe, safe\'\r\n\'\'\tdanger,\'\'\'\rdanger,\',\'safe, \t\r\''
+		expected: 'Col1,Col2,Col3\r\n\'\'\'=danger\',\'\'\'@danger\',safe\r\nsafe=safe,\'\'\'+danger\',\'\'\'-danger, danger\'\r\n\'\'+safe,\'\'@safe,\'safe, safe\'\r\n\'\'\'\tdanger\',\'\'\'\rdanger,\',\'safe, \t\r\''
 	},
 	{
 		description: "Escape formulae with single-quote quoteChar and escapeChar and forced quotes",