fixed bug 41754: negative numeric values exported as string in csv
authorAsier Lostalé <asier.lostale@openbravo.com>
Thu, 05 Sep 2019 08:47:04 +0200
changeset 36560 b3393dd2ea1e
parent 36559 97b1ce519519
child 36561 db9908961a58
fixed bug 41754: negative numeric values exported as string in csv

Whenever a value is exported to csv, it is prepended a tab if it starts with
any character that can be used for formulas (issue #40647) in order to prevent
formula injection. This causes negative numeric values to be also escaped being
treated as strings.

Numeric values don't require to be escaped at all as they are cannot be crafted
for formula injection.
modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DataSourceServlet.java
--- a/modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DataSourceServlet.java	Wed Sep 04 01:29:12 2019 -0400
+++ b/modules/org.openbravo.service.datasource/src/org/openbravo/service/datasource/DataSourceServlet.java	Thu Sep 05 08:47:04 2019 +0200
@@ -635,11 +635,13 @@
           Object keyValue = json.has(key + DalUtil.FIELDSEPARATOR + JsonConstants.IDENTIFIER)
               ? json.get(key + DalUtil.FIELDSEPARATOR + JsonConstants.IDENTIFIER)
               : json.get(key);
+          boolean isNumeric = false;
           if (refListCols.contains(key)) {
             keyValue = refLists.get(key).get(keyValue);
           } else if (keyValue instanceof Number) {
             // if the CSV decimal separator property is defined, used it over the character
             // defined in Format.xml
+            isNumeric = true;
             keyValue = keyValue.toString()
                 .replace(".",
                     prefDecimalSeparator != null ? prefDecimalSeparator : decimalSeparator);
@@ -679,7 +681,7 @@
           String outputValue;
           if (keyValue != null && !keyValue.toString().equals("null")) {
             outputValue = keyValue.toString().replace("\"", "\"\"");
-            if (StringUtils.startsWithAny(outputValue, CSV_FORMULA_PREFIXES)) {
+            if (!isNumeric && StringUtils.startsWithAny(outputValue, CSV_FORMULA_PREFIXES)) {
               // escape formulas
               outputValue = "\t" + outputValue;
             }