Hi,
For websites I’ve always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.
It’s easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.
On the topic I’ve this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense
But if you have better documentation feel free to share :)
Thanks
Since character filtering is all about edge cases, I would like to note that if someone uses an FF14 character name as a display name, the game allows for apostrophe and hyphen and will have a single space.
It’s not a huge edge case population wise (unless you’re building an application focused on that community or genre), but as others have said it’s much safer to prevent the injection from happening in the first place using an interface rather than try to figure out all the way a user can break out of a constructed string.