docs.sheetjs.com/docz/docs/09-miscellany/06-security.md

---
title: Security
sidebar_position: 7
hide_table_of_contents: true
---

Please report any potential vulnerability or question to security@sheetjs.com

## Known Issues

SheetJS libraries use techniques that may be flagged by overzealous scanners.

**The issues in this section are fundamentally unavoidable.**

### URL References and XML

XLSX, SpreadsheetML2003, and a number of other spreadsheet file formats use XML.

XML namespaces are specified as URLs. For example, XLSX file properties follow
[Dublin Core](https://www.dublincore.org/specifications/dublin-core/dcmi-terms/)
Metadata standards. XLSX files must reference `http://purl.org/dc/elements/1.1/`.

**This is a design flaw of XML!**

Any tool that generates XML files must generate URLs to domains outside of the
control of the vendor.

### Non-ASCII Characters

XLS, CSV and other legacy file formats use system-specific encodings. Excel and
other established software predate UTF-8. As a result, SheetJS libraries ship
with [the `codepage` encodings](/docs/constellation/codepage).

SheetJS libraries include CJK ("Chinese, Japanese and Korean") characters to
support CSV and XLS files generated by East Asian versions of Excel.

**The encodings are required for correct parsing of spreadsheet data!**

[The SheetJS library scripts are reproducible](/docs/miscellany/contributing).
Security-conscious developers should audit the source code and verify that the
build artifacts are identical to the official releases.
Security note 2025-04-21 02:17:01 +00:00			`---`
			`title: Security`
			`sidebar_position: 7`
			`hide_table_of_contents: true`
			`---`

			`Please report any potential vulnerability or question to security@sheetjs.com`

			`## Known Issues`

			`SheetJS libraries use techniques that may be flagged by overzealous scanners.`

			`The issues in this section are fundamentally unavoidable.`

			`### URL References and XML`

			`XLSX, SpreadsheetML2003, and a number of other spreadsheet file formats use XML.`

			`XML namespaces are specified as URLs. For example, XLSX file properties follow`
			`[Dublin Core](https://www.dublincore.org/specifications/dublin-core/dcmi-terms/)`
			Metadata standards. XLSX files must reference `http://purl.org/dc/elements/1.1/`.

			`This is a design flaw of XML!`

			`Any tool that generates XML files must generate URLs to domains outside of the`
			`control of the vendor.`

			`### Non-ASCII Characters`

			`XLS, CSV and other legacy file formats use system-specific encodings. Excel and`
			`other established software predate UTF-8. As a result, SheetJS libraries ship`
			with [the `codepage` encodings](/docs/constellation/codepage).

			`SheetJS libraries include CJK ("Chinese, Japanese and Korean") characters to`
			`support CSV and XLS files generated by East Asian versions of Excel.`

			`The encodings are required for correct parsing of spreadsheet data!`

			`[The SheetJS library scripts are reproducible](/docs/miscellany/contributing).`
			`Security-conscious developers should audit the source code and verify that the`
			`build artifacts are identical to the official releases.`