Merged in feature/117-dev-dev01 (pull request #8)

auto-patch  117-dev-dev01-2023-12-15T16_09_06

* auto-patch  117-dev-dev01-2023-12-15T16_09_06

wp/wp-content/plugins/woocommerce/includes/export/abstract-wc-csv-exporter.php

@@ -360,7 +360,7 @@ abstract class WC_CSV_Exporter {
 	 * Additionally, Excel exposes the ability to launch arbitrary commands through
 	 * the DDE protocol.
 	 *
-	 * @see http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
+	 * @see https://owasp.org/www-community/attacks/CSV_Injection
 	 * @see https://hackerone.com/reports/72785
 	 *
 	 * @since 3.1.0
@@ -368,7 +368,9 @@ abstract class WC_CSV_Exporter {
 	 * @return string
 	 */
 	public function escape_data( $data ) {
-		$active_content_triggers = array( '=', '+', '-', '@' );
+		// 0x09: Tab (\t)
+		// 0x0d: Carriage Return (\r)
+		$active_content_triggers = array( '=', '+', '-', '@', chr( 0x09 ), chr( 0x0d ) );
 
 		if ( in_array( mb_substr( $data, 0, 1 ), $active_content_triggers, true ) ) {
 			$data = "'" . $data;