...
- Leading dashes—Leading dashes can cause problems when programs are called with the file name as a parameter because the first character or characters of the file name might be interpreted as an option switch.
- Control characters, such as newlines, carriage returns, and escape—Control characters in a file name can cause unexpected results from shell scripts and in logging.
- Spaces—Spaces can cause problems with scripts and when double quotes aren't used to surround the file name.
- Invalid character encodings — Character encodings can be a huge issue. (See guideline rule IDS03-J. Sanitize non-character code points before performing other sanitization.)
- Any characters other than letters, numbers, and punctuation designated here as portable — Other special characters are included in this recommendation because they are commonly used as separators and having them in a file name can cause unexpected and potentially insecure behavior.
...
Only these characters should be considered for use in file and path names. This is an instance of guideline rule IDS01-J. Sanitize untrusted data passed across a trust boundary.
...