观点 · 6 分钟阅读

CSV injection and formula hijacking: what viewers should avoid executing

Cells beginning with =, +, -, @ can trigger spreadsheet formulas, awareness for security teams and CSV tooling.

发布于 2025年3月21日 · Table

When CSV opens in Excel or Sheets, a cell like =cmd|... can be interpreted as a formula. Pure viewers that do not execute formulas reduce that class of risk compared to full spreadsheet apps.

Defenses

Strip or prefix risky leading characters in untrusted feeds.
Open unknown files in a sandboxed viewer first.
Train finance users on "enable content" prompts.

CSV injection and formula hijacking: what viewers should avoid executing

Defenses

Converters

Viewers & compare

Excel workflows

Learn & product

Color