When opening a CSV in an external program, a formula in a field could be ran that contains a vulnerability.
Read more here: CSV Injection.
Due to this issue, there is a setting
InjectionOptions that can be configured.
The list of injection characters to detect are configurable in
and default to
\r. An injection character can be the first character of a field
or quoted field. i.e.
InjectionOptions values are
No injection protection is taken.
If an injection character is detected, a
CsvWriterException is thrown.
All injection characters at the start of a field will be removed.
===foo will be stripped to
If an injection character is detected, the field will be prepended with the
that defaults to
'. The field will be quoted if it is not already.
This option is disabled by default because the primary goal if this library is to read and write CSV
files. If you are storing user entered data that you haven't sanitized yourself and you're letting
it be accessed by people that may open in Excel/Sheets/etc, you might consider enabling this feature.
InjectionEscapeCharacter is not removed when reading.
When writing, you can throw an enumerable of class objects, dynamic objects, anonymous type objects, or pretty much anything else, and it will get written.
|Write Class Objects|
|Write Dynamic Objects|
|Write Anonymous Type Objects|
|Appending to an Existing File|