I meant in terms of what it's outputting from the models, not what it's accepting as input. Since most apps accepts accept input from users via API endpoints or forms, sanitizing the output strikes me as more important than sanitizing the input, although ideally both should happen.
I don't have any good example data, but this is what I'm talking about:
https://github.com/wagtail/wagtail/issues/3466
A lot of folks don't care about this if they are making libraries for users, since it's really an issue with Excel, but if people within your company are the ones who are going to be potentially getting pwned then it makes less sense to me to just blame MS or whatever.
