XSS in Excel Web Add-ins: A Real-World Fix
Excel web add-ins are just web apps wearing an Office badge. That sounds obvious, but teams forget it all the time. I’ve seen this play out the same way more than once: a team builds a task pane add-in, treats workbook data like “internal content,” renders it into the DOM, and accidentally creates a clean XSS path inside Excel. The UI looks harmless. The payload comes from a spreadsheet cell, a custom function result, or a document setting. Then somebody pastes attacker-controlled content into a workbook, shares it, and the add-in executes script in the task pane. ...