Hi,
By default nearly every meta character is disallowed for use as parameter value.
In my opinion, this is a little bit to much of security for the most of the web applications. This is only necessary, if you need a lot of security for your application.
It would be necessary to validate every parameter value, the user entered in the web application, befor the request is send to the server. i.e. by javascript or a special webpage.
If you don't do that, I recommend to allow the most of the meta characters for parameter values.
1. If you have troubles only with one parameter value (password), you can do this only for the single parameter value.
2. You can allow the meta character for all parameter values, too. It saves a lot of time in configuration or policy learning.
i.e. you are not so strong to the user and he is allowed to type in a wrong value, because of a misstake.
I recommend the secound option. In my opinion, this is no security risk.
You can learn the meta characters by policy builder.
Especially, the parameter password produce a lot of violations, if you dont accept meta characters. A strong password should contain some of that inside. If the user use a password generator, there can be a lot of them inside.
regards