CSV injection prevention · Excel workflow

CSV Injection Prevention in Excel: Apostrophe vs. Tab Prefix

Both prefixes change the underlying value. One may be easier for programmatic consumers; the other may better survive an observed Excel workflow. Neither is a universal safety guarantee.

The short answer

No CSV prefix is universally safe across spreadsheet applications and downstream consumers. Apostrophe prefixing can reduce risk on initial import but may not survive an Excel save/reopen cycle. OWASP documents a tab-inside-a-quoted-field mitigation observed in Excel. CSV Guard layers an apostrophe after that tab so TSV-style reinterpretation does not leave the formula marker first; both prefixes remain in the data and must be tested in your exact workflow.

Decision table

Choose for the destination, then verify the lifecycle.

Apostrophe and tab prefix trade-offs
Prefix Reason to consider it What can go wrong Use only after
Apostrophe Useful when every downstream consumer accepts or deliberately strips it. It changes the value, and its escape behavior may disappear after Excel saves and reopens a CSV. Testing the initial import and the saved file that users will reopen.
Tab + apostrophe Layers an apostrophe after the Excel-observed tab mitigation so tab reinterpretation retains a text prefix. Both prefixes remain in the data and can disrupt parsers, joins, type inference, or another spreadsheet. Testing the exact Excel version, locale, import path, and downstream program.

“Observed in Excel” is not a Microsoft guarantee or a promise about every release, operating system, locale, file-open method, or spreadsheet product.

Lifecycle test

Test the file users actually exchange.

  1. 01

    Record the environment

    Capture the Excel version and build, operating system, locale and list separator, import method, and relevant Trust Center settings.

  2. 02

    Inspect the raw output

    Confirm the actual delimiter, quoted fields, escaped quotes, BOM, and exact prefix positions before opening the file.

  3. 03

    Open it the real way

    Use the production import path—double-click, File Open, or Data > From Text/CSV—then inspect both the displayed cell and the formula bar.

  4. 04

    Cross the save boundary

    Save the CSV, close Excel, and reopen it by the same path. Repeat the cell and formula-bar checks.

  5. 05

    Compare and consume

    Perform a raw-file diff before and after Excel, then load the saved file into every downstream parser that matters.

Harmless cases

Separate a risk marker from malicious intent.

Start with inert arithmetic examples such as =1+1, +1+1, -1+1, -42, and @SUM(1,1). Exercise cell starts, supported delimiters, embedded line breaks, escaped quotes, leading whitespace, and values that already contain an apostrophe or tab.

Negative numbers are an important false positive: -42 can be ordinary data, yet a conservative marker rule prefixes it and changes its inferred type. Validate identifiers, leading zeros, joins, and numeric calculations after every mode.

Do not copy command-execution or real exfiltration payloads into routine acceptance tests. Any external-impact testing belongs in an isolated, authorized environment.

Primary sources

Read the behavior, not a promise.