diff --git a/packages/csv-stringify/lib/api/index.js b/packages/csv-stringify/lib/api/index.js
index 80c9f36b..2bd65f6a 100644
--- a/packages/csv-stringify/lib/api/index.js
+++ b/packages/csv-stringify/lib/api/index.js
@@ -158,6 +158,12 @@ const stringifier = function(options, state, info){
             }
           });
           quotedMatch = quotedMatch && quotedMatch.length > 0;
+          // See https://github.com/adaltas/node-csv/pull/387
+          // More about CSV injection or formula injection, when websites embed
+          // untrusted input inside CSV files:
+          // https://owasp.org/www-community/attacks/CSV_Injection
+          // http://georgemauer.net/2017/10/07/csv-injection.html
+          // Apple Numbers unicode normalization is empirical from testing
           if (escape_formulas) {
             switch (value[0]) {
             case '=':