Injection Warning

When opening a CSV in an external program, a formula in a field could be ran that contains a vulnerability. Read more here: CSV Injection. Due to this issue, there is a setting InjectionOptions that can be configured.

The list of injection characters to detect are configurable in CsvConfiguration.InjectionCharacters and default to =, @, +, -, \t, \r. An injection character can be the first character of a field or quoted field. i.e. =foo or "=foo"

The InjectionOptions values are None (default), Escape, Strip, and Exception.


No injection protection is taken.


If an injection character is detected, a CsvWriterException is thrown.


All injection characters at the start of a field will be removed. ===foo will be stripped to foo.


If an injection character is detected, the field will be prepended with the InjectionEscapeCharacter that defaults to '. The field will be quoted if it is not already.

=one -> "'=one"

"=one" -> "'=one"

=one"two -> "'=one""two"

This option is disabled by default because the primary goal if this library is to read and write CSV files. If you are storing user entered data that you haven't sanitized yourself and you're letting it be accessed by people that may open in Excel/Sheets/etc, you might consider enabling this feature. The InjectionEscapeCharacter is not removed when reading.

When writing, you can throw an enumerable of class objects, dynamic objects, anonymous type objects, or pretty much anything else, and it will get written.

Write Class Objects
Write Dynamic Objects
Write Anonymous Type Objects
Appending to an Existing File