CSV export Characters Starting with @

[steliosph]

When downloading any data that are starting with @ superset will automatically add the '

This provides an extra complexity in order to process the data.
Would it be ideal to not included the ' and let the users handle the data as they are entered.

Superset v2.1.0

[tirkarthi]

Probably an effect of #13735 to prevent csv injection.

superset/superset/utils/csv.py

Lines 33 to 64 in 58e1bcd

	# This regex will match if the string starts with:
	#
	# 1. one of -, @, +, |, =, %
	# 2. two double quotes immediately followed by one of -, @, +, |, =, %
	# 3. one or more spaces immediately followed by one of -, @, +, |, =, %
	#
	problematic_chars_re = re.compile(r'^(?:"{2}|\s{1,})(?=[\-@+|=%])|^[\-@+|=%]')
	def escape_value(value: str) -> str:
	"""
	Escapes a set of special characters.
	http://georgemauer.net/2017/10/07/csv-injection.html
	"""
	needs_escaping = problematic_chars_re.match(value) is not None
	is_negative_number = negative_number_re.match(value) is not None
	if needs_escaping and not is_negative_number:
	# Escape pipe to be extra safe as this
	# can lead to remote code execution
	value = value.replace("|", "\\|")
	# Precede the line with a single quote. This prevents
	# evaluation of commands and some spreadsheet software
	# will hide this visually from the user. Many articles
	# claim a preceding space will work here too, however,
	# when uploading a csv file in Google sheets, a leading
	# space was ignored and code was still evaluated.
	value = "'" + value
	return value

[rusackas]

Is this still happening in 3.x?

[rusackas]

Wasn't sure if this was happening in 3.x, and not sure if it's happening in 4.x. Closing this one as stale, but more than happy to reopen it if it's still happening in supported (4.x, currently) versions.