Prevent Against CSV Injection Attacks

May 28, 2025
2 minutes to read

DevExpress Card View, Grid View, Pivot Grid, and Vertical Grid controls allow you to export data in CSV format. The exported file may contain content that spreadsheet software (such as Microsoft Excel) interprets as a formula. These formulas can execute shell commands when a user opens the file. For example, the following formula runs the Windows Calculator:

console

=cmd|' /C calc'!'!A1'

DevExpress Grid-like controls do not auto-encode executable content for the following reasons:

Microsoft Excel requires user permission to run executable content.
Encoding may unintentionally alter data, such as negative numbers or text values that start with the “=” character.

DevExpress ASP.NET Web Forms controls include a built-in mechanism to encode executable content. During CSV export operations, this mechanism encloses values that start with “=”, “-“, “+”, “@“, or “” in quote characters. You should enable executable content encoding to protect your application against CSV injection attacks such as CWE-74.

Encode Executable Content for All DevExpress Controls

Set the EncodeCsvExecutableContent property to True in the Global.asax file to enable encoding at the application level:

csharp

void Application_Start(object sender, EventArgs e) { 
    DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.True;
}

Private Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
    DevExpress.Export.ExportSettings.EncodeCsvExecutableContent = DevExpress.Utils.DefaultBoolean.[True]
End Sub

Encode Executable Content for a Specific DevExpress Control

Set the EncodeExecutableContent property to true to enable content encoding for a specific control.

Built-in Export Commands

The following example encodes content once a user clicks the built-in export button in the DevExpress Grid View’s toolbar:

ASPX

aspx

<dx:ASPxGridView ID="grid" runat="server" OnBeforeExport="grid_BeforeExport">
    <Toolbars>
        <dx:GridViewToolbar>
            <Items>
                <dx:GridViewToolbarItem Command="ExportToCsv" />
            </Items>
        </dx:GridViewToolbar>
    </Toolbars>
    <Columns>
        <!-- ... -->
    </Columns>
    <SettingsExport EnableClientSideExportAPI="true" ExcelExportMode="WYSIWYG" />
</dx:ASPxGridView>

using DevExpress.XtraPrinting;

protected void grid_BeforeExport(object sender, DevExpress.Web.ASPxGridBeforeExportEventArgs e) {
    if (e.ExportOptions is CsvExportOptions)
        (e.ExportOptions as CsvExportOptions).EncodeExecutableContent = DefaultBoolean.True;
}

Imports DevExpress.XtraPrinting

Protected Sub grid_BeforeExport(ByVal sender As Object, ByVal e As DevExpress.Web.ASPxGridBeforeExportEventArgs)
    If TypeOf e.ExportOptions Is CsvExportOptions 
        Then (TryCast(e.ExportOptions, CsvExportOptions)).EncodeExecutableContent = DefaultBoolean.[True]
End Sub

Custom Export Commands

If you call the ExportToCsv or ExportCsvToResponse method, encode executable content as follows:

ASPX

aspx

<dx:ASPxButton ID="button" runat="server" Text="Export to CSV" OnClick="button_Click" />
<dx:ASPxGridView ID="grid" runat="server">
    <Columns>
        <!-- ... -->
    </Columns>
</dx:ASPxGridView>

protected void button_Click(object sender, EventArgs e) {
    var options = new DevExpress.XtraPrinting.CsvExportOptions();
    options.EncodeExecutableContent = DefaultBoolean.True;
    grid.ExportCsvToResponse(options);
}

Protected Sub button_Click(ByVal sender As Object, ByVal e As EventArgs)
    Dim options = New DevExpress.XtraPrinting.CsvExportOptions()
    options.EncodeExecutableContent = DefaultBoolean.[True]
    grid.ExportCsvToResponse(options)
End Sub