Security: Prevent csv formula injection attack (#17363)

* mitigate https://www.owasp.org/index.php/CSV_Injection

- prepend csv cell values that begin with -, +, = or @ with '
- trim trailing whitespace from all csv values

* test for csv formula injection mitigation

public/app/core/specs/file_export.test.ts

@@ -92,6 +92,7 @@ describe('file_export', () => {
           [0x123, 'some string with \n in the middle', 10.01, false],
           [0b1011, 'some string with ; in the middle', -12.34, true],
           [123, 'some string with ;; in the middle', -12.34, true],
+          [1234, '=a bogus formula  ', '-and another', '+another', '@ref'],
         ],
       };
 
@@ -108,7 +109,8 @@ describe('file_export', () => {
         '501;"some string with "" at the end""";0.01;false\r\n' +
         '291;"some string with \n in the middle";10.01;false\r\n' +
         '11;"some string with ; in the middle";-12.34;true\r\n' +
-        '123;"some string with ;; in the middle";-12.34;true';
+        '123;"some string with ;; in the middle";-12.34;true\r\n' +
+        '1234;"\'=a bogus formula";"\'-and another";"\'+another";"\'@ref"';
 
       expect(returnedText).toBe(expectedText);
     });

public/app/core/utils/file_export.ts

@@ -17,7 +17,11 @@ function csvEscaped(text) {
     return text;
   }
 
-  return text.split(QUOTE).join(QUOTE + QUOTE);
+  return text
+    .split(QUOTE)
+    .join(QUOTE + QUOTE)
+    .replace(/^([-+=@])/, "'$1")
+    .replace(/\s+$/, '');
 }
 
 const domParser = new DOMParser();