Hello, Sorry to strom in for a disscusion that probably happened internally but correct me if I am wrong the solution offered doesn't seems to fix the original issue which appear to be due to lack of sanitization but rather disable it by default
This seems a bit lacking if it is the case as if some software happen to have a use case for the feature they will be forced to apply each his own variant solution and otherwise can be accessed by other vulnerabilities. Hope you could verify regarding those concerns Daniel