Skip to content

Prevent code injection in Excel export #3313

Open
Open
Prevent code injection in Excel export#3313
Assignees
glebfox
Labels
type: bugSomething isn't workingtype: securityver: 7.2.23Fixed in versionver: 7.3.0Fixed in version
Milestone
Release 7.2
@glebfox

Description

@glebfox
glebfox
opened on Jan 21, 2026

Environment

Jmix version: 7.2

Bug Description

It's possible to put an executable value (=cmd|) to the exported excel file.

Steps To Reproduce

  1. Create an entity with String field
  2. Create screens
  3. Add the excel action to the browse screen
  4. Create a new entity instance, set String field value to =CMD|' /c echo TEST > c:\temp\test.txt'!A0 or any other =cmd script
  5. Export to excel

Current Behavior

The script value is set as is and can be executed (In my case I have to navigate to a cell and press enter).

Expected Behavior

The script value cannot be executed.

Possible solution

The script value is quoted, i.e. the ' is added to the begging of the value so that it's treated as a regular string.

Metadata

Metadata

Assignees

Labels

type: bugSomething isn't workingtype: securityver: 7.2.23Fixed in versionver: 7.3.0Fixed in version

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions