How is that dangerous? If you pipe output from a directory listing to *any* command you need to sanitize it. That's normal if you have data that can be created by a user. The issue is known since the very beginning of Linux