Using DAV it is possible to create a file with any character in the name. We have to allow this, because DAV expects that any file it stores can be retrieved and will have the same name.
I don't immediately see any way to exploit this, but I worry about possible security implications if you let users put delimiters into strings.
Patch attached. I've given it some testing, but certainly not extensive.