#Security improvements

#47 works well

For the summary cleanup please

As a site owner, I'm going to miss Parentheses, Ampersand and Space., A little less Brackets, Pound Sign and Exclamation Point though I encounter them.

As a security engineer: This is not a bad hardening, however it is certainly not a fix for wherever the faults actually occur.

As someone who has used this in the past to perform sample RCE's against site setups; I can say yes this would make it much harder to exploit.

I also wish to reiterate that for these characters to cause issue someone has had to make some very serious mistakes down stream, mistakes that this change likely does not actually remove the vulnerabilities , just at most makes it significantly harder to exploit (move from Basic to Complex, saving 1 point on the Drupal Vulnerability Scoring ) and maybe move the Impacted Environment from All to Uncommon (2 points on the Drupal Score scale).

I agree with @smustgrave the 'excluded' ideas would be nice to have listed for historical purposes.

Sorry to be a stickler

Can what’s not making it in be scratched from the proposed solutio

I think we agreed on stripping special characters. It was more about which characters to strip. I have a feeling stripping whitespace might be contentious.

Mean the proposed solution read like there were several approaches? Unless I read that wrong

Looking at the solution were all options taken?

Do you mean are all the special characters included?

We can probably identify a few more patterns that we can exclude other than just form, such as entity view and so on.

Looking at the test fails, most have a few but many are repeating very often. If we fix a few of, e.g. system, user and entity routes them then we might get a better picture of how big the impact really is.

Considering recent contrib security issues, I think it's worth exploring this bit. I think the entity query access change was at least as impactful. this is mostly about a single file per module and easier to identify than those entity queries.

As Drupal 7.x and also modules 7.x versions "ended their lives", closing the 7.x issues.

And thanks for participating and using the module.

p.s. if this still an issue on the latest 2.x version, please feel free to re-open and update the version accordingly.

p.s.2. I know it's a S issue ... but ...

Tests appear to be there so removing that tag.

Looking at the solution were all options taken?

Automatically closed - issue fixed for 2 weeks with no activity.

I forgot this issue existed and opened 📌 Require password confirmation to install new code Active against project browser. Cross-linking the two issues.