// SECURE: CSV generation with sanitization
const express = require('express');
const app = express();
function sanitizeCSVField(field) {
if (field === null || field === undefined) {
return '';
}
let value = String(field);
// Remove control characters
value = value.replace(/[\x00-\x1F\x7F-\x9F]/g, '');
// Check for formula indicators
const formulaPrefixes = ['=', '+', '-', '@', '\t', '\r'];
if (formulaPrefixes.some(prefix => value.startsWith(prefix))) {
// Neutralize by prefixing with single quote
value = "'" + value;
}
// Check for dangerous patterns
const dangerousPatterns = [
/\b(cmd|powershell|dde|webservice)\b/i,
/\|.*!/ // DDE patterns
];
for (let pattern of dangerousPatterns) {
if (pattern.test(value)) {
return '[CONTENT_SANITIZED]';
}
}
// Escape quotes
value = value.replace(/"/g, '""');
// Quote if contains comma or newline
if (value.includes(',') || value.includes('\n')) {
value = `"${value}"`;
}
return value;
}
app.get('/export/users', async (req, res) => {
try {
const users = await getUsersFromDatabase();
let csv = 'Name,Email,Comments\n';
users.forEach(user => {
// SECURE: Sanitize all user data
const safeName = sanitizeCSVField(user.name);
const safeEmail = sanitizeCSVField(user.email);
const safeComments = sanitizeCSVField(user.comments);
csv += `${safeName},${safeEmail},${safeComments}\n`;
});
res.setHeader('Content-Type', 'text/csv');
res.setHeader('Content-Disposition', 'attachment; filename="users_secure.csv"');
res.send(csv);
} catch (error) {
console.error('Export error:', error);
res.status(500).json({ error: 'Export failed' });
}
});