From d534392f66b4f902d0d376602a3486b974a3aab4 Mon Sep 17 00:00:00 2001
From: Dan Chadwick <dan899@gmail.com>
Date: Tue, 23 Aug 2016 08:15:54 -0400
Subject: [PATCH] Issue #2788591: Added warning about opening CSV files with
 spreadsheets.

---
 includes/webform.report.inc | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/includes/webform.report.inc b/includes/webform.report.inc
index 1a8c224..9eb7d4a 100644
--- a/includes/webform.report.inc
+++ b/includes/webform.report.inc
@@ -440,19 +440,28 @@ function webform_results_download_form($form, &$form_state, $node) {
     '#default_value' => webform_variable_get('webform_export_format'),
   );
 
-  $form['delimiter'] = array(
-    '#type' => 'select',
-    '#title' => t('Delimited text format'),
-    '#description' => t('This is the delimiter used in the CSV/TSV file when downloading Webform results. Using tabs in the export is the most reliable method for preserving non-latin characters. You may want to change this to another character depending on the program with which you anticipate importing results.'),
-    '#default_value' => webform_variable_get('webform_csv_delimiter'),
-    '#options' => array(
-      ','  => t('Comma (,)'),
-      '\t' => t('Tab (\t)'),
-      ';'  => t('Semicolon (;)'),
-      ':'  => t('Colon (:)'),
-      '|'  => t('Pipe (|)'),
-      '.'  => t('Period (.)'),
-      ' '  => t('Space ( )'),
+  $form['delimited_options'] = array(
+    '#type' => 'container',
+    'warning' => array(
+      '#markup' => '<p>' .
+                   t('<strong>Warning:</strong> Opening delimited text files with spreadsheet applications may expose you to <a href="!link">formula injection</a> or other security vulnerabilities. When the submissions contain data from untrusted users and the downloaded file will be used with spreadsheets, use Microsoft Excel format.',
+                     array('!link' => url('https://www.google.com/search?q=spreadsheet+formula+injection'))) .
+                 '</p>',
+    ),
+    'delimiter' => array(
+      '#type' => 'select',
+      '#title' => t('Delimited text format'),
+      '#description' => t('This is the delimiter used in the CSV/TSV file when downloading Webform results. Using tabs in the export is the most reliable method for preserving non-latin characters. You may want to change this to another character depending on the program with which you anticipate importing results.'),
+      '#default_value' => webform_variable_get('webform_csv_delimiter'),
+      '#options' => array(
+        ','  => t('Comma (,)'),
+        '\t' => t('Tab (\t)'),
+        ';'  => t('Semicolon (;)'),
+        ':'  => t('Colon (:)'),
+        '|'  => t('Pipe (|)'),
+        '.'  => t('Period (.)'),
+        ' '  => t('Space ( )'),
+      ),
     ),
     '#states' => array(
       'visible' => array(
-- 
2.7.1.windows.2