CSV injection prevention · Excel workflow
CSV Injection Prevention in Excel: Apostrophe vs. Tab Prefix
Both prefixes change the underlying value. One may be easier for programmatic consumers; the other may better survive an observed Excel workflow. Neither is a universal safety guarantee.
The short answer
No CSV prefix is universally safe across spreadsheet applications and downstream consumers. Apostrophe prefixing can reduce risk on initial import but may not survive an Excel save/reopen cycle. OWASP documents a tab-inside-a-quoted-field mitigation observed in Excel. CSV Guard layers an apostrophe after that tab so TSV-style reinterpretation does not leave the formula marker first; both prefixes remain in the data and must be tested in your exact workflow.
Decision table
Choose for the destination, then verify the lifecycle.
| Prefix | Reason to consider it | What can go wrong | Use only after |
|---|---|---|---|
| Apostrophe | Useful when every downstream consumer accepts or deliberately strips it. | It changes the value, and its escape behavior may disappear after Excel saves and reopens a CSV. | Testing the initial import and the saved file that users will reopen. |
| Tab + apostrophe | Layers an apostrophe after the Excel-observed tab mitigation so tab reinterpretation retains a text prefix. | Both prefixes remain in the data and can disrupt parsers, joins, type inference, or another spreadsheet. | Testing the exact Excel version, locale, import path, and downstream program. |
“Observed in Excel” is not a Microsoft guarantee or a promise about every release, operating system, locale, file-open method, or spreadsheet product.
Lifecycle test
Test the file users actually exchange.
-
01
Record the environment
Capture the Excel version and build, operating system, locale and list separator, import method, and relevant Trust Center settings.
-
02
Inspect the raw output
Confirm the actual delimiter, quoted fields, escaped quotes, BOM, and exact prefix positions before opening the file.
-
03
Open it the real way
Use the production import path—double-click, File Open, or Data > From Text/CSV—then inspect both the displayed cell and the formula bar.
-
04
Cross the save boundary
Save the CSV, close Excel, and reopen it by the same path. Repeat the cell and formula-bar checks.
-
05
Compare and consume
Perform a raw-file diff before and after Excel, then load the saved file into every downstream parser that matters.
Harmless cases
Separate a risk marker from malicious intent.
Start with inert arithmetic examples such as =1+1,
+1+1, -1+1, -42, and
@SUM(1,1). Exercise cell starts, supported delimiters,
embedded line breaks, escaped quotes, leading whitespace, and values
that already contain an apostrophe or tab.
Negative numbers are an important false positive: -42 can
be ordinary data, yet a conservative marker rule prefixes it and changes
its inferred type. Validate identifiers, leading zeros, joins, and numeric
calculations after every mode.
Do not copy command-execution or real exfiltration payloads into routine acceptance tests. Any external-impact testing belongs in an isolated, authorized environment.
Primary sources
Read the behavior, not a promise.
-
OWASP: CSV Injection
Risk markers, separator boundaries, and prefix trade-offs.
-
OWASP WSTG: Testing for CSV Injection
A lifecycle-oriented test method for spreadsheet behavior.
-
Microsoft: Import or export text and CSV files
How open method, delimiter, and regional settings affect CSV interpretation.