It is recommended that control characters at the beginning of character strings in cells are filtered before CSV export in order to avoid formula injection. As such functions always start with one of the following characters, these can be filtered specifically: - Equal (=) - Plus (+) - Minus (-) - At (@) - Tab (0x09) - Carriage return (0x0D) When filtering these special characters, care should be taken to ensure that not only the special characters in the first position are removed (for example in +-@=cmd|' /C calc.exe'!'A1'). Instead, all leading special characters up to the first legitimate character should be removed. As an alternative to the above-mentioned filtering, OWASP suggests also another sanitization method which includes three steps ( https://owasp.org/www-community/attacks/CSV_Injection ).

It is advised that the Office settings in clients are configured in such a way that Dynamic Data Exchange (DDE) is disabled.