Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 6190:15fd91fd3c4c
Quote all exported CSV data
Quote all non-numeric data in csv export functions. Report that a
title like '=a2+b3' could be interpreted as a function in Excel and
executed. csv.writer now includes quoting=csv.QUOTE_NONNUMERIC to
generate quoted values for all fields. This should make the string
starting with = be interpreted as a string and not a formula.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 08 Jun 2020 16:18:21 -0400 |
| parents | 5522c950a2e4 |
| children | 13f5cbbcd4e6 |
comparison
equal
deleted
inserted
replaced
| 6189:7458211ca6f3 | 6190:15fd91fd3c4c |
|---|---|
| 157 if db.tx_Source in [ "web", "rest", "xmlrpc" ] | 157 if db.tx_Source in [ "web", "rest", "xmlrpc" ] |
| 158 | 158 |
| 159 or:: | 159 or:: |
| 160 | 160 |
| 161 if db.tx_Source in ['web', 'rest', 'xmlrpc', 'email-sig-openpgp', 'cli' ]: | 161 if db.tx_Source in ['web', 'rest', 'xmlrpc', 'email-sig-openpgp', 'cli' ]: |
| 162 | |
| 163 | |
| 164 CSV export changes | |
| 165 ------------------ | |
| 166 | |
| 167 The original Roundup CSV export function for indexes reported id | |
| 168 numbers for links. The wiki had a version that resolved the id's to | |
| 169 names, so it would report ``open`` rather than ``2`` or | |
| 170 ``user2;user3`` rather than ``[2,3]``. | |
| 171 | |
| 172 Many people added the enhanced version to their extensions directory. | |
| 173 | |
| 174 The enhanced version was made the default in roundup 2.0. If you want | |
| 175 to use the old version (that returns id's), you can replace references | |
| 176 to ``export_csv`` with ``export_csv_id`` in templates. | |
| 177 | |
| 178 Both core csv export functions have been changed to force quoting of | |
| 179 all exported fields. To incorporate this change in any CSV export | |
| 180 extension you may have added, change references in your code from:: | |
| 181 | |
| 182 writer = csv.writer(wfile) | |
| 183 | |
| 184 to:: | |
| 185 | |
| 186 writer = csv.writer(wfile, quoting=csv.QUOTE_NONNUMERIC) | |
| 187 | |
| 188 this forces all (non-numeric) fields to be quoted and empty quotes to | |
| 189 be added for missing parameters. | |
| 190 | |
| 191 This turns exported values that may look like formulas into strings so | |
| 192 some versions of Excel won't try to interpret them as a formula. | |
| 162 | 193 |
| 163 Update userauditor.py to restrict usernames | 194 Update userauditor.py to restrict usernames |
| 164 ------------------------------------------- | 195 ------------------------------------------- |
| 165 | 196 |
| 166 A username can be created with embedded commas and < and > | 197 A username can be created with embedded commas and < and > |