From a6ed5667ab8e17bd7a20dc54def9fd0b9f4dc6b9 Mon Sep 17 00:00:00 2001
From: oo0oo <1148059382@qq.com>
Date: Tue, 01 Feb 2022 10:24:49 +0800
Subject: [PATCH] update .gitignore. 添加JRebel工具rebel.xml文件规则至gitignore

---
 ruoyi-common/src/main/java/com/ruoyi/common/utils/poi/ExcelUtil.java |   11 ++++++++++-
 1 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/poi/ExcelUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/poi/ExcelUtil.java
index 93a19e8..22b6b57 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/poi/ExcelUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/poi/ExcelUtil.java
@@ -86,6 +86,9 @@
 {
     private static final Logger log = LoggerFactory.getLogger(ExcelUtil.class);
 
+    public static final String[] FORMULA_STR = { "=", "-", "+", "@" };
+
+
     /**
      * Excel sheet最大行数，默认65536
      */
@@ -710,7 +713,13 @@
     {
         if (ColumnType.STRING == attr.cellType())
         {
-            cell.setCellValue(StringUtils.isNull(value) ? attr.defaultValue() : value + attr.suffix());
+            String cellValue = Convert.toStr(value);
+            // 对于任何以表达式触发字符 =-+@开头的单元格，直接使用tab字符作为前缀，防止CSV注入。
+            if (StringUtils.containsAny(cellValue, FORMULA_STR))
+            {
+                cellValue = StringUtils.replaceEach(cellValue, FORMULA_STR, new String[] { "\t=", "\t-", "\t+", "\t@" });
+            }
+            cell.setCellValue(StringUtils.isNull(cellValue) ? attr.defaultValue() : cellValue + attr.suffix());
         }
         else if (ColumnType.NUMERIC == attr.cellType())
         {

--
Gitblit v1.9.2