I believe that all [*] of the problems David Wheeler mentions could be solved if ALL characters in filenames were "escaped" - e.g. by placing them into some unused prefix space of your character encoding - when being processed. ALL of the characters, not just special characters. Characters that already have such a prefix applied get two prefixes applied, etc.
Ditto for any script injection or SQL injection attacks.
Note: * I usually attempt false modesty, and say things like "all or almost all". But this obscures the point. ALL can be.
Fixing Unix/Linux/POSIX Filenames: Control Characters (such as Newline), Leading Dashes, and Other Problems: "Interesting alternative: Auto-convert spaces to unbreakable spaces
"
'via Blog this'