Merge branch 'security/4.4.9-releng' into 4.4.9-releng

sunnavy · sunnavy · commit 52243b29c296 · 2025-10-22T12:46:24.000-04:00
diff --git a/share/html/Elements/TSVExport b/share/html/Elements/TSVExport
@@ -122,6 +122,8 @@ while (my $row = $Collection->Next) {
             $val =~ s/(?:\n|\r)+/ /g; $val =~ s{\t}{    }g;
             $val = $no_html->scrub($val);
             $val = HTML::Entities::decode_entities($val);
+            # To prevent injection, add a leading space to make sure excel-ish applications treat it like a literal
+            $val =~ s/^(?=-|\+|=|\@|")/ /;
             $val;
         } @$col)."\n");
     }

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,8 @@ while (my $row = $Collection->Next) {`
`122`	`122`	`$val =~ s/(?:\n\|\r)+/ /g; $val =~ s{\t}{ }g;`
`123`	`123`	`$val = $no_html->scrub($val);`
`124`	`124`	`$val = HTML::Entities::decode_entities($val);`
	`125`	`+ # To prevent injection, add a leading space to make sure excel-ish applications treat it like a literal`
	`126`	`+ $val =~ s/^(?=-\|\+\|=\|\@\|")/ /;`
`125`	`127`	`$val;`
`126`	`128`	`} @$col)."\n");`
`127`	`129`	`}`