Configure CSV injection protection for attachments
Zuora provides options to manage CSV injection protection for attachments, allowing administrators to choose between allowing, blocking, or sanitizing potentially harmful spreadsheet formulas.
Zuora allows administrators to control whether attachments containing potential CSV or spreadsheet formula injections are allowed, blocked, or sanitized. This setting helps protect users from malicious formulas that may run when files are opened in applications such as Microsoft Excel or LibreOffice Calc.
- Navigate to .
- In the Attachment Limits section, click Edit.
- Locate the CSV injection setting and select one of the following options:
- Allow: Users can upload CSV or spreadsheet files without CSV injection validation. This preserves the previous behavior and may allow files that contain formulas starting with characters such as =, +, -, or @.
- Block: Zuora checks uploaded CSV or spreadsheet files for formula patterns that may pose a security risk. If a risk is detected, the upload is blocked and the file is not attached.
- Sanitize: Zuora automatically neutralizes potentially risky formulas in the uploaded CSV or spreadsheet file. Leading formula characters, such as =, +, -, or @, are removed or encoded so that affected cells are treated as plain text when opened, while the upload itself is allowed.
- Click Save.
The selected CSV injection protection behavior is applied to file attachments for the entity.