Add optional formula sanitization for csv export to prevent CSV Injection attacks

[sequba]

Changes:

• Add a configuration option sanitizeValues to exportPlugin.downloadFile API that controls the value sanitization during the CSV export
  • when sanitizeValues is true, HOT sanitizes values according to OWASP recommendations
  • when sanitizeValues is a regexp, HOT escapes all values that match the regexp
  • when sanitizeValues is a function, HOT replaces all values with the return value of the function
  • when sanitizeValues is not set, HOT doesn't sanitize values
• Add e2e tests for this feature
• Update typing for ExportOptions interface
• Update relevant jsdocs
• Describe it in export-to-csv guide

How has this been tested?

• unit tests
• new unit tests

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature or improvement (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Additional language file or change to the existing one (translations)

Related issue(s):

Fixes https://github.com/handsontable/dev-handsontable/issues/1275

Affected project(s):

• handsontable
• @handsontable/angular
• @handsontable/react
• @handsontable/react-wrapper
• @handsontable/vue
• @handsontable/vue3

Checklist:

• I have reviewed the guidelines about Contributing to Handsontable and I confirm that my code follows the code style of this project.
• I have signed the Contributor License Agreement
• My change requires a change to the documentation.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 27fc366:

Sandbox	Source
handsontable-pr-javascript-demo	Configuration
handsontable-ts-demo	Configuration
handsontable-pr-react-demo	Configuration

[github-actions]

Launch the local version of documentation by running:

npm run docs:review f7bf68f2ca3930f5bd3542f776eb1b5b65352e9c

[jansiegel]

Not crucial, but you could utilize the private method notation with #, so #sanitizeValueWithOWASP. I think this plugin doesn't use it yet because it was created before we supported it.

[sequba]

done

[jansiegel]

@sequba I can see this change broke the test. These "private" functions don't seem to be that private 🙄 . I think you can either revert this change or try to refactor the plugin to make them actually private, whatever you think it's best.

[sequba]

I changed escapeCell to be public again

[qunabu]

Add example with 4 buttons that represent each sanitaze option

with content

## Example with `sanitize` option enabled. 

The sanitize option for the Export to CSV plugin helps prevent [CSV injection](https://owasp.org/www-community/attacks/CSV_Injection) vulnerabilities by sanitizing cell data before exporting. CSV injection can occur when malicious formulas or commands are injected into CSV files that are later opened in spreadsheet applications.

button1 button2 button3 button4

table with unsafe data 

toolbar with sourcecode preview 

[sequba]

Add example with 4 buttons that represent each sanitaze option

This will be done in separate task: https://github.com/handsontable/dev-handsontable/issues/2444