fix: update safe output regex and the docs (#1805)

Co-authored-by: jackton1 <[email protected]>
Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: Tonye Jack <[email protected]>

Author: 3 people

README.md

@@ -572,6 +572,12 @@ Support this project with a :star:
     # Default: "\n"
     recover_files_separator: ''
 
+    # Apply sanitization to output filenames before being set as 
+    # output. 
+    # Type: boolean
+    # Default: "true"
+    safe_output: ''
+
     # Split character for output strings.
     # Type: string
     # Default: " "

dist/index.js

@@ -1355,7 +1355,10 @@ export const setOutput = async ({
 
   // if safeOutput is true, escape special characters for bash shell
   if (safeOutput) {
-    cleanedValue = cleanedValue.replace(/[$()`|&;]/g, '\\$&')
+    cleanedValue = cleanedValue.replace(
+      /[^\x20-\x7E]|[:*?"<>|;`$()&!]/g,
+      '\\$&'
+    )
   }
 
   core.setOutput(key, cleanedValue)