Convention Is The Allowlist

A specification, RFC, or framework convention implies that an attacker-controllable field takes one of a constrained set of values, by how the spec exercises the field elsewhere rather than by formal grammar. The implementation parses the field at its broad syntactic type and accepts everything the type permits. The implicit allowlist exists in the spec authors' heads and in downstream consumers' assumptions; the code never installed it. The patch closes the demonstrated chain by narrowing the value set against the immediate context; the set of accepted values remains whatever happens to be supported by the surrounding subsystems today.