1.5 KiB
| title | sidebar_position | hide_table_of_contents |
|---|---|---|
| Security | 7 | true |
Please report any potential vulnerability or question to security@sheetjs.com
Known Issues
SheetJS libraries use techniques that may be flagged by overzealous scanners.
The issues in this section are fundamentally unavoidable.
URL References and XML
XLSX, SpreadsheetML2003, and a number of other spreadsheet file formats use XML.
XML namespaces are specified as URLs. For example, XLSX file properties follow
Dublin Core
Metadata standards. XLSX files must reference http://purl.org/dc/elements/1.1/.
This is a design flaw of XML!
Any tool that generates XML files must generate URLs to domains outside of the control of the vendor.
Non-ASCII Characters
XLS, CSV and other legacy file formats use system-specific encodings. Excel and
other established software predate UTF-8. As a result, SheetJS libraries ship
with the codepage encodings.
SheetJS libraries include CJK ("Chinese, Japanese and Korean") characters to support CSV and XLS files generated by East Asian versions of Excel.
The encodings are required for correct parsing of spreadsheet data!
The SheetJS library scripts are reproducible. Security-conscious developers should audit the source code and verify that the build artifacts are identical to the official releases.