Skip to main content
Join the official Python Developers Survey 2018 and win valuable prizes: Start the survey!

Drop-in replacement for Python's CSV library that tries to mitigate CSV injection attacks

Project description

https://img.shields.io/pypi/v/defusedcsv.svg https://travis-ci.org/raphaelm/defusedcsv.svg?branch=master https://codecov.io/gh/raphaelm/defusedcsv/branch/master/graph/badge.svg

If your Python application offers CSV export of user-generated data, that user-generated data might contain malicious payloads that might trigger vulnerabilities in the spreadsheet software of the user that downloads the file (i.e. MS Excel or LibreOffice).

This library tries to mitigate that by prepending all cells starting with @, +, -, =, | or % with an apostrophe ' and additionally replacing all | characters in these cells with \|. This will of course change the resulting CSV files, but Excel will not display the ' character to the user.

Tested with Python 3.4 to 3.6.

Usage

This library acts as a drop-in replacement for the standard library’s csv module. You can use it by just replacing import csv with from defusedcsv import csv in your code.

License

The code in this repository is published under the terms of the Apache License. See the LICENSE file for the complete license text.

This project is maintained by Raphael Michel <mail@raphaelmichel.de>. See the AUTHORS file for a list of all the awesome folks who contributed to this project.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
defusedcsv-1.0.1-py3-none-any.whl (4.7 kB) Copy SHA256 hash SHA256 Wheel 3.4 Aug 7, 2017
defusedcsv-1.0.1.tar.gz (3.0 kB) Copy SHA256 hash SHA256 Source None Aug 7, 2017

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page