1diff --git a/README.md b/README.md
 2index 5b3b038..1a454a1 100644
 3--- a/README.md
 4+++ b/README.md
 5@@ -19,3 +19,9 @@ Here are a couple of the issues with Dates and so on:
 6 * There seem to be a few issues where someone did something sloppy inside formulaJS, and timezones, daylight-savings,
 7 and leap years are being taken into account when they shouldn't be. For now I think I should just let it go.
 8 The resulting errors from these bugs aren't that bad. I'll mark them down, and investigate them individually.
 9+
10+### Protect against injection
11+How do we protect against users injecting data that looks like `console.log(sensitive_data)` when we evaluate variables
12+inside parser.js? If we ever want to impliment custom formulas, or even accept data in raw format, we need to guard
13+against this. Or else someone could load a CSV with javascript and when our spreadsheet opens it, then suddenly
14+arbitrary javascript is executed in the client machine.
15\ No newline at end of file