hardening: prevent CSV formula injection and malformed CSV output in exports #256
Description
Summary
CSV export writes attacker-controlled fields directly into quoted CSV without CSV-safe escaping or formula neutralization.
Evidence
functions.php export blocks around:
800-807827-836
Values are concatenated directly, including host/message/log text.
Risk
- Spreadsheet formula execution when cells begin with
=,+,-,@ - Broken CSV format for embedded quotes/newlines
Expected fix
- Use
fputcsv()(or equivalent robust escaping) - Prefix dangerous leading formula characters with
' - Preserve existing export columns/format semantics