42 lines
1.5 KiB
Markdown
42 lines
1.5 KiB
Markdown
|
---
|
||
|
|
title: Security
|
||
|
|
sidebar_position: 7
|
||
|
|
hide_table_of_contents: true
|
||
|
|
---
|
||
|
|
|
||
|
|
Please report any potential vulnerability or question to security@sheetjs.com
|
||
|
|
|
||
|
|
## Known Issues
|
||
|
|
|
||
|
|
SheetJS libraries use techniques that may be flagged by overzealous scanners.
|
||
|
|
|
||
|
|
**The issues in this section are fundamentally unavoidable.**
|
||
|
|
|
||
|
|
### URL References and XML
|
||
|
|
|
||
|
|
XLSX, SpreadsheetML2003, and a number of other spreadsheet file formats use XML.
|
||
|
|
|
||
|
|
XML namespaces are specified as URLs. For example, XLSX file properties follow
|
||
|
|
[Dublin Core](https://www.dublincore.org/specifications/dublin-core/dcmi-terms/)
|
||
|
|
Metadata standards. XLSX files must reference `http://purl.org/dc/elements/1.1/`.
|
||
|
|
|
||
|
|
**This is a design flaw of XML!**
|
||
|
|
|
||
|
|
Any tool that generates XML files must generate URLs to domains outside of the
|
||
|
|
control of the vendor.
|
||
|
|
|
||
|
|
### Non-ASCII Characters
|
||
|
|
|
||
|
|
XLS, CSV and other legacy file formats use system-specific encodings. Excel and
|
||
|
|
other established software predate UTF-8. As a result, SheetJS libraries ship
|
||
|
|
with [the `codepage` encodings](/docs/constellation/codepage).
|
||
|
|
|
||
|
|
SheetJS libraries include CJK ("Chinese, Japanese and Korean") characters to
|
||
|
|
support CSV and XLS files generated by East Asian versions of Excel.
|
||
|
|
|
||
|
|
**The encodings are required for correct parsing of spreadsheet data!**
|
||
|
|
|
||
|
|
[The SheetJS library scripts are reproducible](/docs/miscellany/contributing).
|
||
|
|
Security-conscious developers should audit the source code and verify that the
|
||
|
|
build artifacts are identical to the official releases.
|