From 62de1cf7cb5898aa132a56feab03174a3dca7ad2 Mon Sep 17 00:00:00 2001
From: David Worms <david@adaltas.com>
Date: Tue, 9 May 2023 09:15:48 +0200
Subject: [PATCH] docs(csv-stringify): escape formulas references

---
 packages/csv-stringify/lib/api/index.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/packages/csv-stringify/lib/api/index.js b/packages/csv-stringify/lib/api/index.js
index 80c9f36b..2bd65f6a 100644
--- a/packages/csv-stringify/lib/api/index.js
+++ b/packages/csv-stringify/lib/api/index.js
@@ -158,6 +158,12 @@ const stringifier = function(options, state, info){
             }
           });
           quotedMatch = quotedMatch && quotedMatch.length > 0;
+          // See https://github.com/adaltas/node-csv/pull/387
+          // More about CSV injection or formula injection, when websites embed
+          // untrusted input inside CSV files:
+          // https://owasp.org/www-community/attacks/CSV_Injection
+          // http://georgemauer.net/2017/10/07/csv-injection.html
+          // Apple Numbers unicode normalization is empirical from testing
           if (escape_formulas) {
             switch (value[0]) {
             case '=':