Happy Business Starts Here

Insertion of apostrophe (') to avoid CSV injection vulnerability when exporting data

Yingying
Zuora Documentation

Insertion of apostrophe (') to avoid CSV injection vulnerability when exporting data

To avoid CSV injection vulnerability when you download exported data files through Reporting > Data Sources or Reporting > Exports (deprecated), Zuora inserts an apostrophe (') at the beginning of the field value if the first character of a field value is one of the following characters:

  • '='
  • '+'
  • '-'

In addition, Zuora in the future will insert an apostrophe (') in the following conditions when generating the exported data files:

  • If '@' or ';' is the first character of a field value, Zuora will insert an apostrophe (') at the beginning of the field value.
  • If the field value contains the following 2-character string, Zuora will insert an apostrophe (') in between:
    • ';='
    • ';+'
    • ';-'
    • ';@'

These changes are planned to be released in August.