Internet-Draft | rfc4180-bis | September 2022 |
Shafranovich | Expires 18 March 2023 | [Page] |
This RFC documents the common format used for Comma-Separated Values (CSV) files and updates the associated MIME type "text/csv".¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 18 March 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The comma separated values format (CSV) has been used as a common way to exchange data between disparate systems and applications for many years. Surprisingly, while this format is very popular, it has never been formally documented and didn't have a media type registered. This was addressed in 2005 via publication of [RFC4180] and the concurrent registration of the "text/csv" media type.¶
Since the publication of [RFC4180], the CSV format has evolved and this specification seeks to reflect these changes as well as update the "text/csv" media type registration.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The original motivation of [RFC4180] was to provide a reference in order to register the media type "text/csv". It tried to document existing practices at the time based on the approaches used by most implementations. This document continues to do the same, and updates the original document to reflect current practices for generating and consuming of CSV files.¶
Both [RFC4180] and this document are published as informational RFC for the benefit of the Internet community and and not intended to be used as formal standards. Implementers should consult [RFC1796] and [RFC2026] for crucial differences between IETF standards and informational RFCs.¶
While there had been various specifications and implementations for the CSV format (for ex. [CREATIVYST], [EDOCEO], [CSVW] and [ART])), prior to publication of [RFC4180] there is no attempt to provide a common specification. This section documents the format that seems to be followed by most implementations (incorporating changes since the publication of [RFC4180]).¶
Each record is located on a separate line, ended by a line break (CR, LF or CRLF). For example:¶
aaa,bbb,cccCRLF
zzz,yyy,xxxCRLF¶
The last record in the file MUST have an ending line break. For example:¶
aaa,bbb,cccCRLF
zzz,yyy,xxxCRLF¶
The first record in the file MAY be an optional header with the same format as normal records. This header will contain names corresponding to the fields in the file and SHOULD contain the same number of fields as the records in the rest of the file. For example:¶
field_name_1,field_name_2,field_name_3CRLF
aaa,bbb,cccCRLF
zzz,yyy,xxxCRLF¶
Within each record, there MAY be one or more fields, separated by commas. Each record SHOULD contain the same number of fields throughout the file. Spaces are considered part of a field and SHOULD NOT be ignored. The last field in the record MUST NOT be followed by a comma. For example:¶
aaa,bbb,cccCRLF¶
Each field MAY be enclosed in double quotes (however some programs, do not use double quotes at all). If fields are not enclosed with double quotes, then double quotes MUST NOT appear inside the fields. For example:¶
"aaa","bbb","ccc"CRLF
zzz,yyy,xxxCRLF¶
Fields containing line breaks (CR, LF or CRLF), double quotes, or commas MUST be enclosed in double-quotes. The same applies for the first field of a record that starts with a hash to avoid the field from being parsed as a comment. For example:¶
"aaa","b CRLF
bb","ccc"CRLF
zzz,yyy,xxxCRLF
"#aaa",#bbb,cccCRLF¶
A double-quote appearing inside a field MUST be escaped by preceding it with another double quote. For example:¶
"aaa","b""bb","ccc"CRLF¶
A hash sign MAY be used to mark lines that are meant to be commented lines. A commented line can contain any whitespace or visible character until it is terminated by a line break (CR, LF or CRLF). A comment line MAY appear in any line of the file (before or after an OPTIONAL header) but MUST NOT be mistaken with a subsequent line of a multi-line field. Subsequent lines of multi-line fields can start with a hash sign and MUST NOT interpreted as comments. For example:¶
#commentCRLF
aaa,bbb,cccCRLF
#comment 2CRLF
"aaa","this is CRLF
# not a comment","ccc"CRLF¶
Since the initial publication of [RFC4180], the default charset for "text/*" media types has been changed to UTF-8 (as per [RFC6657]) and [RFC7111]. This document reflects this change and the default charset for CSV files is now UTF-8.¶
Although section 4.1.1. of [RFC2046] defines CRLF to denote line breaks, implementers MAY recognize a single CR or LF as a line break (similar to section 3.1.1.3 of [RFC7231]). However, some implementations MAY use other values.¶
The ABNF grammar (as per [RFC5234]) appears as follows:¶
file = *((comment / record) linebreak) comment = hash *comment-data record = first-field *(comma field) linebreak = CR / LF / CRLF first-field = (escaped / first-non-escaped) field = (escaped / non-escaped) escaped = DQUOTE *(data-with-hash / comma / CR / LF / 2DQUOTE) DQUOTE first-non-escaped = [data *data-with-hash] non-escaped = *data-with-hash comma = %x2C hash = %x23 comment-data = WSP / %x21-7E / UTF8-data ; characters without control characters data = WSP / %x21 / %x24-2B / %x2D-7E / UTF8-data ; characters without control characters, comma, hash and DQUOTE data-with-hash = data / hash CR = %x0D ; as per section B.1 of [RFC5234] DQUOTE = %x22 ; as per section B.1 of [RFC5234] LF = %x0A ; as per section B.1 of [RFC5234] CRLF = CR LF ; as per section B.1 of [RFC5234] HTAB = %x09 ; as per section B.1 of [RFC5234] SP = %x20 ; as per section B.1 of [RFC5234] WSP = SP / HTAB ; as per section B.1 of [RFC5234] UTF8-data = UTF8-2 / UTF8-3 / UTF8-4 ; as per section 4 of [RFC3629]¶
Note that the authoritative definition of UTF-8 is in section 2.5 of [UNICODE].¶
This section describes some common concerns that may arise when producing or parsing CSV files. All of these remain out of scope for this document and are included for awareness. Implementers may also use other means to handle these use cases such as [CSVW].¶
Some implementations (such as databases) treat empty fields and null values differently. For these implementations, there is a need to define a special value representing a null. However, this specification does not attempt to define a default value for nulls.¶
Example of a CSV file with nulls (if "NULL" is used to mark nulls):¶
field_name_1,field_name_2,field_name_3CRLF
aaa,bbb,cccCRLF
zzz,NULL,xxxCRLF¶
Implementers should be aware that in accordance to this specification a file does not need to contain any comments or records. Therefore, an empty file with zero bytes is considered valid.¶
This specification recommends but doesn't require having the same number of fields in every line. This allows CSV files to have empty lines without any fields at all. Implementors may choose to to skip empty lines instead of parsing them but this specification does not dictate such behavior.¶
Example of a CSV file with empty lines:¶
field_name_1,field_name_2,field_name_3CRLF
aaa,bbb,cccCRLF
CRLF
zzz,yyy,xxxCRLF¶
However, if the records are only made up of one field it is not possible to differentiate between an empty line, and an empty and unquoted field. This differentiation might play an important role in some implementations such as database exports/imports.¶
Example of a CSV file with empty lines and only one field per record:¶
aaa
CRLF
bbbCRLF¶
When quoted fields are used, it is possible for a field to span multiple lines, even when line breaks appear within such field.¶
Implementers should be aware that some applications may treat header values as unique (either case-sensitive or case-insensitive).¶
When quoted fields are used, this document does not allow whitespace between double quotes and commas. Implementers should be aware that some applications may be more lenient and allow whitespace outside the double quotes.¶
This document defines a comma as a field separator but implementers should be aware that some applications may use different values, especially with non-English languages. Those are outside the scope of this document and implementers should consult other efforts such as [CSVW].¶
This document prescribes that a double-quote appearing inside a field must be escaped by preceding it with another double quote. Implementers should be aware that some applications may choose to use a different escaping mechanism.¶
Applications that create text files with unicode character encoding might write a BOM (byte order mark) header in order to support multiple unicode encodings (like UTF-16 and UTF-32). Some applications might be able to read and properly interpret such a header, others could break. Implementors should review section 6 of [RFC3629] and section 23.8 of [UNICODE].¶
While most of the world's written languages are displayed left-to-right, many languages such as ones based on Hebrew or Arabic scripts are displayed primarily right-to-left. Implementers should consult the "bidirectional display" part in section 5 of [RFC6365] for further guidance.¶
The media type registration of "text/csv" should be updated as per specific fields below:¶
Encoding considerations:¶
CSV MIME entities can consist of binary data as per section 4.8 of [RFC6838]. Although section 4.1.1. of [RFC2046] defines CRLF to denote line breaks, implementers MAY recognize a single CR or LF as a line break (similar to section 3.1.1.3 of [RFC7231]). However, some implementations may use other values.¶
Published specification:¶
While numerous private specifications exist for various programs and systems, there is no single "master" specification for this format. An attempt at a common definition can be found in [RFC4180] and this document. Implementers should note that both documents are informational in nature and are not standards.¶
Optional parameters: charset¶
The "charset" parameter specifies the charset employed by the CSV content. In accordance with [RFC6657], the charset parameter SHOULD be used, and if it is not present, UTF-8 SHOULD be assumed as the default (this implies that US- ASCII CSV will work, even when not specifying the "charset" parameter). Any charset defined by IANA for the "text" tree may be used in conjunction with the "charset" parameter.¶
Security considerations:¶
Text/csv consists of nothing but passive text data that should not pose any direct risks. However, it is possible that malicious data may be included in order to exploit buffer overruns or other bugs in the program processing the text/csv data.¶
Implementers and users should also be aware that some software applications may interpret certain characters in the beginning of CSV fields as referring to code or formulas, thus resulting in malicious code execution. This is known as "CSV injection" and users consuming CSV files should filter out such characters.¶
The text/csv format provides no confidentiality or integrity protection, so if such protections are needed they must be supplied externally.¶
The fact that software implementing fragment identifiers for CSV and software not implementing them differs in behavior, and the fact that different software may show documents or fragments to users in different ways, can lead to misunderstandings on the part of users. Such misunderstandings might be exploited in a way similar to spoofing or phishing.¶
Implementers and users of fragment identifiers for CSV text should also be aware of the security considerations in RFC 3986 [RFC3986] and RFC 3987 [RFC3987].¶
Interoperability considerations:¶
Due to lack of a single specification, there are considerable differences among implementations. Implementers should "be conservative in what you do, be liberal in what you accept from others" ([RFC0793]) when processing CSV files. An attempt at a common definition can be found in Section 2.¶
IANA is directed to update the MIME type registration for "text/csv" as per instructions provided in Section 4 of this document and include a reference to this document within the registration.¶
All security considerations discussed in Section 4 still apply.¶
In addition to everyone thanked previously in [RFC4180], the author would like to thank acknowledge the contributions of the following people to this document: Alperen Belgic, Abed BenBrahim, Damon Koach, Barry Leiba, Oliver Siegmar, Marco Diniz Sousa and Greg Skinner.¶
A special thank you to L.T.S.¶
Note to the RFC Editor: Please remove this section prior to publication.¶
Development of this draft takes place on Github at: https://github.com/yakovsh/rfc4180-bis¶
Comments can also be sent to the ART mailing list at: https://www.ietf.org/mailman/listinfo/art¶
Full list of changes can be viewed via the IETF document tracker: https://tools.ietf.org/html/draft-shafranovich-rfc4180-bis¶