Excel Injection: formula quoting?

Hi,

Thanks for the link, it is interesting and I'll see to add it in the FlexCelReport.EnterFormulas documentation.

But at least for this one you don't have to worry: By default FlexCel will behave as you expect: It won't enter formulas from the database. For that you need to either explicitly say in the template that the cell expects a formula (by writing <#formula> in the cell) or to set the property FlexCelReport.EnterFormulas = true (it is false by default). Also setting FlexCelReport.TryToConvertStrings = true would cause formulas to be entered as formulas, but again, this property is false by default.

We are aware of formula injection dangers, and we took it in account while designing FlexCel. If you read the section "Recalculating Linked Files" in the API guide, a big part of it is dedicated to explain how an user could use a carefully crafted spreadsheet to access sensitive information in your machine. This is the reason why FlexCel doesn't recalculate linked files by default: It is safer, even if it is more inconvenient in cases where you control the files. This is the same reason we don't write formulas in a database directly to the sheet. We do provide a property EnterFormulas which you could use if you trust the db you are using, but by default we won't. 

Of course there could be other ways that someone could abuse formulas, I can't guarantee (and I am sure we didn't) cover all possible security issues. But we took as much care as we could.

In any case, I will be adding this link and a bigger explanation to the EnterFormulas properties, as it doens't make you aware of the risk right now.