{"id":3957,"library":"defusedcsv","title":"Defused CSV","description":"defusedcsv is a Python library (version 3.0.0) that acts as a drop-in replacement for the standard library's `csv` module, specifically designed to mitigate CSV injection attacks. It works by sanitizing output, prepending an apostrophe to cells that start with potentially malicious characters like `=`, `+`, `-`, `@`, `|`, or `%`, and escaping `|` characters within these cells. This prevents spreadsheet software (like MS Excel or LibreOffice) from interpreting the cell content as a formula. The library's release cadence appears to be infrequent, with the latest version published to PyPI on September 2, 2025.","status":"active","version":"3.0.0","language":"en","source_language":"en","source_url":"https://github.com/raphaelm/defusedcsv","tags":["security","csv","injection-prevention","data-sanitization"],"install":[{"cmd":"pip install defusedcsv","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"note":"The library is designed as a drop-in replacement; replace `import csv` with `from defusedcsv import csv`.","wrong":"import csv","symbol":"csv","correct":"from defusedcsv import csv"}],"quickstart":{"code":"from defusedcsv import csv\nimport io\n\n# Prepare an in-memory CSV output stream\noutput = io.StringIO()\nwriter = csv.writer(output)\n\n# Write header and rows, including potentially malicious payloads\nwriter.writerow(['ID', 'Name', 'Notes'])\nwriter.writerow(['1', 'Alice', 'Safe note'])\nwriter.writerow(['2', 'Bob', '=1+1'])\nwriter.writerow(['3', 'Charlie', '@SUM(A1:A2)'])\nwriter.writerow(['4', 'David', '|cmd /C calc!A1']) # ' | ' is escaped, and the cell is prefixed with an apostrophe\n\n# Get the sanitized CSV data\nsanitized_csv_data = output.getvalue()\nprint(\"--- Sanitized CSV Output (as seen in file) ---\")\nprint(sanitized_csv_data)\n\n# Example of reading the sanitized CSV back (shows raw content)\ninput_data = io.StringIO(sanitized_csv_data)\nreader = csv.reader(input_data)\n\nprint(\"\\n--- Reading Sanitized CSV ---\")\nheaders = next(reader)\nprint(f\"Headers: {headers}\")\nfor row in reader:\n    print(f\"Row: {row}\")\n\n# Expected output for the problematic cells (when viewed programmatically):\n# ['2', 'Bob', \"'=1+1\"]\n# ['3', 'Charlie', \"'@SUM(A1:A2)\"]\n# ['4', 'David', \"'\\\\|cmd /C calc!A1\"]","lang":"python","description":"This quickstart demonstrates how to use `defusedcsv` as a drop-in replacement for the standard `csv` module. It shows how potentially malicious spreadsheet formulas are automatically sanitized by prepending an apostrophe and escaping pipe characters, preventing execution when opened in spreadsheet software."},"warnings":[{"fix":"Ensure downstream systems are aware of and can handle the modifications made by `defusedcsv` (prepending apostrophes, escaping pipe characters). If exact original data is required, `defusedcsv` is not suitable.","message":"The primary function of `defusedcsv` is to modify CSV cell content to prevent injection attacks. This means the output CSV files will not be byte-for-byte identical to those produced by the standard `csv` module if malicious-looking data is present. Systems expecting exact, untransformed CSV output (e.g., for cryptographic hashing or strict format validation) may break.","severity":"breaking","affected_versions":"All versions"},{"fix":"Ensure your project runs on Python versions 3.9 through 3.13. If you must use other versions, thorough testing is recommended.","message":"The library explicitly states it's tested with Python 3.9 to 3.13. While it might work on other Python 3 versions, explicit support is not guaranteed, which could lead to unexpected behavior or incompatibilities.","severity":"gotcha","affected_versions":"<3.9, >3.13"},{"fix":"Implement comprehensive data validation and sanitization at all input and output points of your application, not relying solely on `defusedcsv` for all security or data integrity concerns.","message":"The sanitization only addresses CSV injection for spreadsheet software. It does not validate or sanitize other forms of potentially malicious data within the CSV (e.g., malformed data, incorrect types, or general parsing errors) that could exploit other vulnerabilities or cause issues in different downstream processing systems.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}