Forums Home / Wijmo / General Discussion
Posted by: arobindhbalaji.viswanathan on 21 August 2024, 4:08 pm EST
arobindhbalaji.viswanathan
Posted 21 August 2024, 4:08 pm EST
As a penetration test scenario, we are facing a issue where one of the cells inside a grid contains malicious payload. eg:(“=10@@!#$#”). When such a grid is exported using FlexGridXlsxConverter.saveAsync, it is executing malicious content as commands in the user’s machine when opened. I was wondering if there are any config property that is available within wijmo.grid.xlsx that will sanitize the data removing any such malicious content.
vivek.pannu
Posted 22 August 2024, 8:21 am EST
Hi Arobindh Balaji,
For now, there is no such property available that sanitizes such type of code from data. However, you can use a custom ‘formatItem’ function while exporting the grid to Excel, that can make such modifications. You can refer to the following sample demonstrating the same - https://stackblitz.com/edit/js-vjcxzo?file=index.js
You can refer to the following API link for more information about the config option while exporting the grid to Excel using ‘FlexGridXlsxConverter.saveAsync’ method - https://developer.mescius.com/wijmo/api/interfaces/Wijmo_Grid_Xlsx.Iflexgridxlsxoptions.html
Please note that, you’ll be able to remove the code only when you are able to identify it from data, in the above sample we have used a simple regex to identify the malicious code that contains ‘@’ character and ends with ‘#’. You may need to modify regex to match all possible scenarios that may be possible in your case.
Regards
arobindhbalaji.viswanathan
Posted 23 August 2024, 9:20 am EST
Thank you Vivek, That helped us resolve the issue.
