| ||
Do perform input validation on all input before passing it to a command processor.
Do handle the failure securely if an input validation check fails.
Do not pass unvalidated input to any command processor, even if the intent is that the input will just be data.
Do not use the deny-list approach, unless you are 100 percent sure you are accounting for all possibilities.
Consider avoiding regular expressions for input validation; instead, write simple and clear validators by hand.