🛡️ Securely from Forms to Excel: Protection against formula injection with Power Automate

📋 Scenario

You use Microsoft Forms with two fields (e.g., first name and last name ) on your website. The form is accessible worldwide via a public link – a classic example, for a contact form, newsletter subscription, or quick feedback.

As soon as the form is submitted, the data should be automatically written into an Excel spreadsheet stored internally using Power Automate .

This sounds like a practical low-code use case at first – but it poses an unexpected security risk .

🎁 Bonus: Securing a Form using AI

At the very bottom of the article, you'll find a creative alternative way to increase security using AI prompts. I'm curious to hear your thoughts on this!

🧠 Why this is a problem

In Microsoft Excel, you can enter not only text but also executable formulas into cells. This is generally useful, but becomes dangerous when the formulas are introduced from outside .

Example:

=HYPERLINK("http://evil.com", "Click here")

This string looks like a normal text value in the form. However, if it is entered unfiltered into an Excel cell, Excel converts it into a clickable link —even though the user never had access to the file. This is a classic example of formula injection.

Things get even worse with more sophisticated payloads like:

=cmd|' /C calc'!A0

Depending on the Excel configuration, such content can trigger macros or commands – usually blocked in modern Excel versions, but not always reliable.

In short : Anyone who receives data via Microsoft Forms and saves it directly in Excel should be careful.

📌 Goal

In this article, I'll show you how, with just a few resources, you can ensure that entries from a Microsoft Form are not interpreted as a formula in Excel , but are saved as plain text - using Power Automate and a simple security filter .

🚨 Dangerous signs & prefixes

You should always remove these characters and combinations from user input before entering them into Excel:

✅ Step-by-step instructions

🔧 1. Trigger: Microsoft Forms

• Trigger: When a new response is submitted

• Action: Get response details

  

✂️ 2. Clean up inputs

After retrieving the responses, add a Compose or Variable step in the flow to remove dangerous characters from the inputs:

Example: Cleaning the first name

@{replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(
outputs('Get_response_details')?['body/r838c896106aa413f960ea18c092012cd'],
'=', ''), '+', ''), '-', ''), '@', ''), '*', ''), '/', ''), '\\', ''), '''', ''), '`', ''), ';', ''), '|', ''), '&', ''), ':', ''), '!', ''), '<', ''), '>', ''), '"', ''), '?', '')}

And for the surname accordingly:

@{replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(
outputs('Get_response_details')?['body/r0c6860e6376b4f58aa0a21b42a075c3a'],
'=', ''), '+', ''), '-', ''), '@', ''), '*', ''), '/', ''), '\\', ''), '''', ''), '`', ''), ';', ''), '|', ''), '&', ''), ':', ''), '!', ''), '<', ''), '>', ''), '"', ''), '?', '')}

🧠 Of course, you have to replace the field IDs (body/r…) with the IDs from your own form.

📥 3. Write cleaned data to Excel

Instead of raw input from Microsoft Forms, you now use only the cleaned Compose results or variables. This prevents dangerous characters from being transferred to the Excel spreadsheet.

🧪 4. Test the security logic

Use intentionally dangerous formulas to test your setup:

Result with security filter:

🧷 Best Practices

🤖 Bonus: Validation with Power Platform AI Prompts

While manually removing dangerous characters using a replace() chain works reliably, there is now a clever alternative with AI support : The Power Platform allows you to execute AI prompts directly in the flow to check and clean inputs and even return them in JSON format – all without any static code.

✨ Why this is exciting:

• You do n't have to clean each string individually by hand .

• You can pass the entire data object (e.g. the entire form response) to the prompt.

• The prompt can be flexibly extended and uses AI intelligence for pattern recognition (e.g. suspicious formulas, URLs, special characters).

🔧 This is how it works in flow

Step 1: "Run a Prompt" (AI Builder)

Instead of replace() commands, you use an AI prompt with the following content:

✅ The prompt is called via the AI Builder action Run a prompt, using the entire form object as input.

🔄 Output: A clean JSON version of the inputs, e.g.:

{
  "Vorname": "Max",
  "Nachname": "Mustermann"
}

2️⃣ Step: Write adjusted values in Excel

Now, instead of using the original values from the form, use the cleaned values from the AI's JSON response.

🧠 Advantages of the AI prompt variant

⚠️ Respect boundaries

• Paid: AI Prompts require AI Builder credits or a corresponding license.

• Latency: Execution may take slightly longer than simple string functions.

• Black box: The decision of what is “harmful” is in the hands of the prompt – you should always validate the output.

🧩 Conclusion & Feedback Question

Whether using replace() or with AI support, both are valid ways to protect your Excel data against malicious formulas. The AI approach is particularly exciting if you want to check multiple fields simultaneously , streamline the flow , or even perform semantic evaluation .

💬 How do you solve this?

I am interested in:

• Do you already use AI prompts in your everyday life – perhaps even for input validation?

• Have you found other ways to make Excel form saves secure?

👉 I look forward to your thoughts via LinkedIn or in the comments.