Fix code injection in user input?

[snystrom]

example: shellCut("hello_world", f = 1, d = "_ && echo test")

are there any instances where shell programs use what I call illegal characters for functionality following flags? Could "sanitizing" actually cause failures on the shell? I think they could...

if not, user input can be sanitized by adding escapes?

ex. gsub("&", "\&", "_ && echo test")