We're sorry Aspose doesn't work properply without JavaScript enabled.

Free Support Forum - aspose.com

CSV injection risk assessment


a common risk with sheets is CSV injection, targeting the user when he downloads an excel file (e.g. =cmd|’ /C calc’!A0). That is because Excel can evaluate formulas.

Aspose can also evaluate formulas (cell.DisplayStringValue is the result of evaluation as per documentation). When a CSV file is read in by Aspose, what measures are taken that a malicious CSV file is not evaluated to attack the server itself (not the user)? Does Aspose even evaluate cmd or bash commands at all, or just Excel functions, or a subset thereof?

Thank you very much,



Please note, Aspose.Cells does not evaluate or calculate formulas which involve external reference to programs (calls), external files or execute scripts in the formulas, so the formula “=cmd|’ /C calc’!A0” won’t be calculated at all. Also, similar critical formulas won’t be calculated as well.

Hope, this answers your doubts.

@Amjad_Sahi Excellent, thank you very much!


You are welcome.