I think we should be checking user input more carefully, especially as
we are sending it unchecked to some backends.
We can filter out a lot of the badness by filtering for
"$`'"^[]{}@#/\<>|" - do you guys know any packages with names that have
these chars in?
Thanks.
Richard.