		@@ -50,2 +50,9 @@ export interface ISharedOptions {
		trimFieldValues?: boolean;

		/**
		* Should CSV injection be prevented by left trimming these characters:
		* Equals (=), Plus (+), Minus (-), At (@), Tab (0x09), Carriage return (0x0D).
		* @default false
		*/
		preventCsvInjection?: boolean;
		}
		@@ -106,2 +113,8 @@
		excludeKeys?: string[];

		/**
		* Specify how values should be converted into CSV format. This function is provided a single field value at a time and must return a `String`.
		* Note: Using this option may override other options, including `useDateIso8601Format` and `useLocaleFormat`.
		*/
		parseValue?: (fieldValue: any) => string;
		}
		@@ -108,0 +121,0 @@

lib/json2csv.js

		@@ -255,2 +255,3 @@ 'use strict';
		fieldValue = valueParserFn(fieldValue);
		fieldValue = preventCsvInjection(fieldValue);
		fieldValue = wrapFieldValueIfNecessary(fieldValue);
		@@ -349,2 +350,22 @@
		/**
		* Prevent CSV injection on strings if specified by the user's provided options.
		* Mitigation will be done by ensuring that the first character doesn't being with:
		* Equals (=), Plus (+), Minus (-), At (@), Tab (0x09), Carriage return (0x0D).
		* More info: https://owasp.org/www-community/attacks/CSV_Injection
		* @param fieldValue
		* @returns {*}
		*/
		function preventCsvInjection(fieldValue) {
		if (options.preventCsvInjection) {
		if (Array.isArray(fieldValue)) {
		return fieldValue.map(preventCsvInjection);
		} else if (utils.isString(fieldValue) && !utils.isNumber(fieldValue)) {
		return fieldValue.replace(/^[=+\-@\t\r]+/g, '');
		}
		return fieldValue;
		}
		return fieldValue;
		}

		/**
		* Escapes quotation marks in the field value, if necessary, and appropriately
		@@ -351,0 +372,0 @@ * wraps the record field value if it contains a comma (field delimiter),

lib/utils.js

		@@ -20,2 +20,3 @@ 'use strict';
		isInvalid,
		isNumber,

		@@ -252,2 +253,11 @@ // underscore replacements:

		/**
		* Checks whether value can be converted to a number
		* @param value {String}
		* @returns {boolean}
		*/
		function isNumber(value) {
		return !isNaN(Number(value));
		}

		/*
		@@ -254,0 +264,0 @@ * Helper functions which were created to remove underscorejs from this package.

package.json

		@@ -8,3 +8,3 @@ {
		"description": "A JSON to CSV and CSV to JSON converter that natively supports sub-documents and auto-generates the CSV heading.",
		"version": "3.14.4",
		"version": "3.15.0",
		"homepage": "https://mrodrig.github.io/json-2-csv",
		@@ -47,6 +47,6 @@ "repository": {
		"devDependencies": {
		"babel-eslint": "10.1.0",
		"@babel/eslint-parser": "7.16.5",
		"coveralls": "3.1.0",
		"eslint": "7.14.0",
		"mocha": "8.2.1",
		"eslint": "8.4.1",
		"mocha": "9.1.3",
		"nyc": "15.1.0",
		@@ -53,0 +53,0 @@ "should": "13.2.3",

README.md

		@@ -143,2 +143,4 @@ # json-2-csv
		* Default: `false`
		* `preventCsvInjection` - Boolean - Should CSV injection be prevented by left trimming these characters: Equals (=), Plus (+), Minus (-), At (@), Tab (0x09), Carriage return (0x0D).
		* Default: `false`

		@@ -145,0 +147,0 @@

json-2-csv - npm Package Compare versions

New alerts