CSV Formula Injection Guard

Flag risky CSV cells and download a sanitized copy, all in your browser

Paste runs entirely in your browser. The CSV text is not uploaded, logged, or stored. This flags cells a spreadsheet would treat as a formula and offers a sanitized copy; it is a safety aid, not a guarantee against every spreadsheet behavior.

Paste your CSV above and select Check CSV to see risky cells and a sanitized copy.

About the CSV formula injection guard

The CSV formula injection guard checks a CSV for cells that a spreadsheet would treat as a formula instead of plain text. A cell whose value begins with an equals sign, a plus, a minus, an at sign, a tab, or a carriage return can run a formula when the file is opened in Excel, Google Sheets, or LibreOffice. A crafted CSV can use that to open a link, pull external data, or even run a command on the person who opens it. This tool finds those cells and gives you a sanitized copy that is safe to open.

Paste your CSV, select Check CSV, and the tool lists every risky cell with its row, column, a severity, the trigger, and a short preview, so you can see exactly what was flagged. It then builds a sanitized CSV that prefixes each risky cell with a single quote, which tells the spreadsheet to store the cell as text rather than evaluate it. Everything runs in your browser. The CSV you paste, the cell values, and the column names are never uploaded or stored.

How to use

  1. Paste your CSV into the input box. A sample CSV with a few risky cells is loaded so you can see how it works.
  2. Select Check CSV to scan every cell for spreadsheet formula triggers.
  3. Review the findings table: each risky cell shows its row, column, severity, trigger, and a short preview.
  4. Select Download sanitized CSV to get a copy with each risky cell prefixed so a spreadsheet stores it as text.
  5. Select Download findings CSV or Copy review card to keep a record of what was flagged.

Worked examples

=HYPERLINK("http://evil.example","Click") flagged High

A cell that builds a clickable link is flagged high risk because it can send someone to a malicious site when the file opens.

=cmd|'/c calc'!A0 flagged High

A classic command-execution payload is flagged high risk so it never reaches a spreadsheet that would run it.

+15551234567 flagged Medium, sanitized to '+15551234567

A phone number that starts with a plus is flagged medium and prefixed with a quote so it stays text without being read as a formula.

Frequently asked questions

What is CSV formula injection?
CSV formula injection, also called CSV injection, happens when a CSV cell begins with a character a spreadsheet reads as the start of a formula, such as =, +, -, or @. When someone opens the file, the spreadsheet runs that formula. Attackers use it to open links, pull data from other sites, or run commands, so any CSV built from untrusted input should be checked before it is opened or shared.
How does the guard decide a cell is risky?
It flags any cell whose first character is one a spreadsheet treats as a formula trigger: an equals sign, plus, minus, at sign, a tab, or a carriage return. Cells that also contain a command, a link function, or an external-data function such as HYPERLINK, WEBSERVICE, or IMPORTXML are marked high risk. Cells that simply start with a trigger character are marked medium.
How does the sanitized CSV make a file safe?
It prefixes each risky cell with a single quote. A single quote at the start of a cell tells the spreadsheet to store the cell as literal text and not evaluate it, which is the widely recommended fix. The rest of your data is left unchanged, and the file stays a normal CSV.
Why are some phone numbers and negative numbers flagged?
A value that starts with a plus or a minus, such as a phone number or a negative amount, begins with a formula trigger character, so a spreadsheet could try to read it as a formula. These are flagged medium because they are often legitimate. The sanitized copy prefixes them so they stay text, and you can decide whether each one needed it.
Is my CSV uploaded anywhere?
No. The parsing, detection, and sanitization all run in your browser. The CSV you paste, the individual cell values, and the column names are never sent to a server or saved. Download the sanitized CSV or findings before you close the tab.

Use this again tomorrow

Save this page so it's one tap away when you need a quick result.

Bookmark this tool

Ready for a quick Daily Challenge?

Play Daily Challenge on sts.games

Related tools

Try another quick utility while you are here.

Terraform Plan Blast Radius Card

Risk-rank a terraform plan before you apply it.

Kubernetes RBAC Verb Matrix

Spot risky verbs in Role and ClusterRole YAML.

UTMatic

Build UTM-tagged campaign links.