From fae71668cee5e136eed52660a4f274a52a93916e Mon Sep 17 00:00:00 2001
From: Juanjo Diaz <juanjo.diazmo@gmail.com>
Date: Fri, 18 Oct 2019 15:08:35 +0200
Subject: [PATCH] docs: Document how to prevent CSV injection (#428)

* Document how to prevent CSV injection

* Fix typos in Readme
---
 README.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index ade75853..ef111ce1 100644
--- a/README.md
+++ b/README.md
@@ -891,15 +891,23 @@ This might produce few undesired effects with, for example, serial numbers:
 - Large numbers are displayed using scientific notation
 - Leading zeros are stripped.
 
-The `excelString` option produces a Excel-specific CSV file that forces Excel to interpret string fields as strings. Please note that the CSV will look incorrect if viewing it somewhere else than Excel.
+Enabling the `excelString` option produces an Excel-specific CSV file that forces Excel to interpret string fields as strings. Please note that the CSV will look incorrect if viewing it somewhere else than Excel.
+
+#### Avoiding CSV injection
+
+As part of Excel automatically format detection, fields regarded as formulas (starting with `=`, `+`, `-` or `@`) are interpreted regardless of whether the field is quoted or not, creating a security risk (see [CSV Injection](https://www.owasp.org/index.php/CSV_Injection).
+
+This issue has nothing to do with the CSV format, since CSV knows nothing about formulas, but with how Excel parses CSV files.
+
+Enabling the `excelString` option produces an Excel-specific CSV file that forces Excel to interpret string fields as strings. Please note that the CSV will look incorrect if viewing it somewhere else than Excel.
 
 #### Preserving new lines
 
-Excel only recognize `\r\n` as valid new line inside a cell.
+Excel only recognizes `\r\n` as valid new line inside a cell.
 
 #### Unicode Support
 
-Excel can display Unicode correctly (just setting the `withBOM` option to true). However, Excel can't save unicode so, if you do changes to the CSV and save it from Excel, the Unicode character will not be displayed correctly.
+Excel can display Unicode correctly (just setting the `withBOM` option to true). However, Excel can't save unicode so, if you perform any changes to the CSV and save it from Excel, the Unicode characters will not be displayed correctly.
 
 
 ### PowerShell escaping