N°6977 - Sanitize Excel formulas in exports (#818)

* N°6977 - Sanitize Excel formulas in export in the backoffice --------- Co-authored-by: Molkobain <lajarige.guillaume@free.fr>
2026-04-23 10:38:45 +02:00 · 2026-03-05 15:07:27 +01:00
parent fc967c06ce
commit 3b8e079cf1
25 changed files with 388 additions and 21 deletions
--- a/tests/php-unit-tests/unitary-tests/core/BulkExportTest.php
+++ b/tests/php-unit-tests/unitary-tests/core/BulkExportTest.php
@@ -158,4 +158,173 @@ EOF;
 		$this->assertEquals($sExpectedValue, $data);
 	}

+	/**
+	 * @dataProvider OrganizationsForExportSanitizeExcelExportProvider
+	 *
+	 * @param $aListOrg
+	 * @param $aExpectedValues
+	 * @return void
+	 * @throws \CoreCannotSaveObjectException
+	 * @throws \CoreException
+	 * @throws \CoreUnexpectedValue
+	 * @throws \OQLException
+	 * @throws \ReflectionException
+	 */
+	public function testExportWithSanitizeExcelExport(
+		$aListOrg,
+		$aExpectedValues,
+	) {
+		// Create tests organizations to have enough data
+		$iFirstOrg = 0;
+		foreach ($aListOrg as $aOrg) {
+			$oObj = $this->CreateOrganization($aOrg[0]);
+			if ($aOrg[1] === false) {
+				$oObj->Set('status', 'inactive');
+				$oObj->DBUpdate();
+			}
+			if ($iFirstOrg === 0) {
+				$iFirstOrg = $oObj->GetKey();
+			}
+		}
+
+		$aStatusInfo = [
+			"fields" => [
+				[
+					"sFieldSpec" => "name",
+					"sAlias" => "Organization",
+					"sClass" => "Organization",
+					"sAttCode" => "name",
+					"sLabel" => "Name",
+					"sColLabel" => "Name",
+				],
+			],
+			"text_qualifier" => "\"",
+			"charset" => "UTF-8",
+			"separator" => ",",
+			"date_format" => "Y-m-d H:i:s",
+			"formatted_text" => false,
+			"show_obsolete_data" => false,
+			'ignore_excel_sanitization' => false,
+		];
+		$sStatus = [];
+		$oSearch = DBObjectSearch::FromOQL('SELECT Organization');
+		$oExporter = BulkExport::FindExporter('csv', $oSearch);
+		$oExporter->SetStatusInfo($aStatusInfo);
+		$oExporter->SetObjectList($oSearch);
+		$oExporter->SetChunkSize(EXPORTER_DEFAULT_CHUNK_SIZE);
+
+		$data = $oExporter->GetHeader();
+		$data .= $oExporter->GetNextChunk($sStatus);
+
+		// Check that the value is sanitized as expected (with a ' prefix)
+		foreach ($aExpectedValues as $sExpectedValue) {
+			$this->assertStringContainsString($sExpectedValue, $data, "The value $sExpectedValue is expected to be found in the export result");
+		}
+	}
+
+	/**
+	 * @dataProvider OrganizationsForExportSanitizeExcelExportProvider
+	 *
+	 * @param $aListOrg
+	 * @param $aExpectedValues
+	 * @return void
+	 * @throws \CoreCannotSaveObjectException
+	 * @throws \CoreException
+	 * @throws \CoreUnexpectedValue
+	 * @throws \OQLException
+	 * @throws \ReflectionException
+	 */
+	public function testExportWithoutSanitizeExcelExport(
+		$aListOrg,
+		$aExpectedValues,
+	) {
+		// Create tests organizations to have enough data
+		$iFirstOrg = 0;
+		foreach ($aListOrg as $aOrg) {
+			$oObj = $this->CreateOrganization($aOrg[0]);
+			if ($aOrg[1] === false) {
+				$oObj->Set('status', 'inactive');
+				$oObj->DBUpdate();
+			}
+			if ($iFirstOrg === 0) {
+				$iFirstOrg = $oObj->GetKey();
+			}
+		}
+
+		$aStatusInfo = [
+			"fields" => [
+				[
+					"sFieldSpec" => "name",
+					"sAlias" => "Organization",
+					"sClass" => "Organization",
+					"sAttCode" => "name",
+					"sLabel" => "Name",
+					"sColLabel" => "Name",
+				],
+			],
+			"text_qualifier" => "\"",
+			"charset" => "UTF-8",
+			"separator" => ",",
+			"date_format" => "Y-m-d H:i:s",
+			"formatted_text" => false,
+			"show_obsolete_data" => false,
+			'ignore_excel_sanitization' => true,
+		];
+		$sStatus = [];
+		$oSearch = DBObjectSearch::FromOQL('SELECT Organization');
+		$oExporter = BulkExport::FindExporter('csv', $oSearch);
+		$oExporter->SetStatusInfo($aStatusInfo);
+		$oExporter->SetObjectList($oSearch);
+		$oExporter->SetChunkSize(EXPORTER_DEFAULT_CHUNK_SIZE);
+
+		$data = $oExporter->GetHeader();
+		$data .= $oExporter->GetNextChunk($sStatus);
+
+		// Check that the value is not sanitized
+		foreach ($aListOrg as $sExpectedValue) {
+			$this->assertStringContainsString($sExpectedValue[0], $data, "The value $sExpectedValue[0] is expected to be found in the export result");
+		}
+	}
+
+	public function OrganizationsForExportSanitizeExcelExportProvider()
+	{
+		return [
+			'Page1' => [
+				'list_org' => [
+					['=org1', true],
+					['+org2', true],
+					['-org3', true],
+					['@org4', true],
+					["\t=org5", true],
+					["\rorg6", true],
+					["\r\t\r =org7", true],
+					['＝org8', true],
+					['＋org9', true],
+					['－org10', true],
+					['＠org11', true],
+					['|org12', true],
+					['%3Dorg13', true],
+					['%3dorg14', true],
+					['org15', true],
+				],
+				'export_org' => [
+					"'=org1",
+					"'+org2",
+					"'-org3",
+					"'@org4",
+					"'\t=org5",
+					"'\rorg6",
+					"'\r\t\r =org7",
+					"'＝org8",
+					"'＋org9",
+					"'－org10",
+					"'＠org11",
+					"'|org12",
+					"'%3Dorg13",
+					"'%3dorg14",
+					"org15",
+				],
+			],
+		];
+	}
 }