Kirill??? Not Log4J2 passes it, but the application developer. He is responsible to sanitize user input. Log4J2's fault is to trying to interprete this.