Add config option to escape formulas on dump

[karlseguin]

Add escape_formula option (defaults nil) which, when set, escapes potential formulas with the configured value.

I considered making the list of formulas markers configurable, but I thought being opinionated with respect to this security feature would be better.

Some details on the general issue at: http://georgemauer.net/2017/10/07/csv-injection.html

[josevalim]

Hi @karlseguin, thanks for the PR!

I think we should have a paragraph explaining the exploit with more detail. The last paragraphs of the linked articled, that explains when this is necessary, is a helpful addition.

We should also document you can handle this as part of preprocessing, without enabling the escape formula option. I.e. users can do: String.starts_with?(field, ~w(@ + - =)) and then prepend it themselves.

Finally, I am also concerned that the concept of formulas may change over time or different tools may have extensions, so perhaps we should make both delimiters and escape configurable. Something like: escape_formula: %{~w(@ + - =) => "\t"}.

WDYT?

[josevalim]

One last suggestion and we are good to go!

[josevalim]

:green_heart: :blue_heart: :purple_heart: :yellow_heart: :heart: