This is Legacy, so it has nothing to do with the roadmap, but it does concern a new feature.
See https://jira.ez.no/browse/EZP-28901 and pull request https://github.com/ezsystems/ezpublish-legacy/pull/1349
Can we make the ezhttp operator safer by default without breaking backwards compatibility? We generally do not add new features to Legacy anymore. However, this user-submitted fix adds some safety against injection attacks in case the wash operator is not used as it should be (or other kinds of input sanitation). But I’m unsure if it may break existing code, even though the automated tests pass. Legacy test coverage is limited. Your input and reviews are welcome!