mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-05-26 16:20:19 -04:00
c9b2211bd3
In user research, we’ve seen users copy/pasting the contents of the inbound SMS page into a spreadsheet, in order to keep a record of the messages they receive. They even went as far as to write a macro which fixed the errors caused by copying and pasting. It would be much easier if we just gave them the data already in a spreadsheet format. Which is what this commit does. One caveat is that, because spreadsheets can contain executable code (ie formulas), and because we’re populating the spreadsheet with user-submitted data (albeit via SMS) we need to be careful about injection attacks. The details of how these attacks work are detailed here (interesting reading): http://georgemauer.net/2017/10/07/csv-injection.html The mitigation is to not allow characters which initialise a formula at the start of the cell.