3a9d9d3203
Finding 1 — CSV multiline formula injection: - Split _format_execution into _format_execution_text (MD/PDF, no sanitization) and _format_execution_csv (CSV, applies _csv_safe to each user-controlled component before join) - Moved _CSV_FORMULA_TRIGGERS + _csv_safe above the format helpers (required by _format_execution_csv) - Outer _csv_safe on the Exécution cell retained as belt-and-braces for the empty-date case - New test: test_render_engagement_csv_defuses_formula_in_inner_execution_lines Finding 2 — Stored XSS in Markdown table: - _cell() in render_engagement_markdown now calls _html_escape() (quote=True, default) before pipe-escaping and \n→<br/> substitution — correct order preserved - New test: test_render_engagement_markdown_escapes_html_in_table_cells 255 → 257 passed, ruff clean, mypy clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
9.3 KiB
9.3 KiB