CSV Export Changes - Sanitizing Data For Merchant Security

As of October 3, 2018, we have modified the data exporting CSV creation to sanitize out a very specific issue. Previously, exporting data simply took the data that was in our database and input it into a spreadsheet. Now, any string fields that begin with one of these four characters (+, -, =, @) will have those characters removed from the beginning of that field ONLY in the exported CSV.

Please note that we are NOT changing any actual data in the database, only sanitizing the data when it is input into the CSV. Additionally, this sanitization is happening currently for all new merchants (and their sites) effective immediately. We will release this feature to all of our merchants effective November 20th, 2018 to give existing merchants time to make any necessary changes.

The only exception to this rule will be if a value starts with a + and contains only digits. This is so that phone numbers will return as normal if in that format.

Change Examples

Formerly:

"@johnsmith" would export and be "@johnsmith"

"---50% off coupon" would export and be "---50% off coupon"

"+404 555 5555" would export and be "+404 555 5555"

"= really good customer" would export and be "= really good customer"

Now:

"@johnsmith" would export and be "johnsmith"

"---50% off coupon" would export and be "50% off coupon"

"+404 555 5555" would remain exported as "+404 555 5555"

"= really good customer" would export and be " really good customer"


This was modified because:

While it was never reported to have happened to any merchants, it was theoretically possible for executable code to be included as a string input by our merchant’s clients and included in the CSV export in one of the normal fields.

The code could then be executed if both A and B happen.

  • (A) being the merchant opens the file in a CSV viewer (Excel)
  • (B) The code attempting to run and the merchant clicking a “trust this source” pop up that appears.

If you have any questions or concerns, please contact support.