CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection.
csv-safe project csv-safe