--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/classes/hirondelle/web4j/security/PermittedCharactersImpl.java	Wed Dec 04 17:00:31 2013 +0100
@@ -0,0 +1,30 @@
+package hirondelle.web4j.security;
+
+/**
+ Default implementation of {@link hirondelle.web4j.security.PermittedCharacters}.
+ 
+ <P>This class permits only those characters which return <tt>true</tt> for
+ {@link Character#isValidCodePoint(int)}.
+ 
+ <P>Since {@link SafeText} already escapes a long list of special characters, those 
+ special characters are automatically safe for inclusion here.
+ <em>That is, you can usually accept almost any special character, because 
+ <tt>SafeText</tt> already does so much escaping anyway.</em>
+ 
+ <P>Given the importance of this issue for web application security, however, 
+ WEB4J still allows you to define your own implementation of this interface, as 
+ desired. 
+ 
+ <P>This is a very liberal implementation. Applications should consider replacing this 
+ implementation with something less liberal. For example, an alternate implementation 
+ might disallow carriage returns and line feeds, or might specify the characters of 
+ some particular block of Unicode.
+*/
+public class PermittedCharactersImpl implements PermittedCharacters {
+
+  /** See class comment. */
+  public boolean isPermitted(int aCodePoint) {
+    return Character.isValidCodePoint(aCodePoint);
+  }
+  
+}