From 3ddb369e7ebd70fbe3d8f7fdd441034f19dac104 Mon Sep 17 00:00:00 2001
From: Ryan Rudder <96507400+RRudder@users.noreply.github.com>
Date: Wed, 10 May 2023 14:42:24 +1000
Subject: [PATCH] updates to rec for CSV Injection

---
 .../external_behavior/csv_injection/recommendations.md         | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/submissions/description/external_behavior/csv_injection/recommendations.md b/submissions/description/external_behavior/csv_injection/recommendations.md
index 406e7159..9b0277a2 100644
--- a/submissions/description/external_behavior/csv_injection/recommendations.md
+++ b/submissions/description/external_behavior/csv_injection/recommendations.md
@@ -1,6 +1,7 @@
 # Recommendation(s)
 
-It is recommended to sanitize the input fields of CSVs so that the content is read as text only by the spreadsheet editor
+It is recommended to validate and sanitize the input fields of CSVs so that the content is read as text only by the spreadsheet editor. The appropriate content type should also be set in the response header when serving CSV files. For example, `Content-Type: text/csv`.
+Additionally, dynamic formula injection can be prevented by not allowing user-supplied input to be directly interpreted as a calculation or formula. This can be achieved by removing the functionality, or implementing a separate mechanism that handles the user input securely.
 
 For more information, please see: