As a general rule, removing "special" (whatever that may mean in a particular context) characters is a much more dangerous and fragile solution than removing everything but "normal" characters. Figure out what you want to allow, and then remove (or throw errors for) anything else.