The problem isn't with CSV, it is with spreadsheet applications.

fulafel · on Oct 11, 2017

Users associate application behaviour with file formats.

Analogy: people think PDF files are safe, but aren't aware of the constant stream of RCE vulnerabilities that is Acrobat Reader & how widely it's used, which invalidates their model of behaviour associated with PDF files.

mulmen · on Oct 11, 2017

In this case the users are wrong and so are the spreadsheet applications.

benmmurphy · on Oct 10, 2017

i don't know why spreadsheet applications don't standardise on a file extension that they won't screw with. call it csf or something. treat it like pure CSV except don't interpret =/@ or any of the other weirdness. basically just interpret all fields as plain strings as default [even if they look like numbers]. this way everything is backwards compatible old 'weird CSV' files still work and those that care about their users can use .csf and the files won't endanger their users.

mulmen · on Oct 10, 2017

Yeah or they could just make "mangle my CSV files" an option buried in the config somewhere. I'd even open up regedit.

mark-r · on Oct 10, 2017

That would make safety an "opt in" measure, it should be "opt out" instead. Make the CSV format stop interpreting formulas unless you specifically ask it to. Most people don't put formulas in their CSV files anyway.

mulmen · on Oct 10, 2017

The CSV format doesn't interpret anything, it's spreadsheet applications doing that.

mark-r · on Oct 10, 2017

Sorry if I was unclear, that was exactly what I meant - applications that open CSV files.