Problem/Motivation
In 10.2 we deprecated \Drupal\system\MachineNameController::transliterate
However it is possible to trigger a 500 exception by passing an array for the text or langcode query params.
We should catch that and return a 400 or similar rather than a 500.
This was originally reported to the security team but has been cleared to be a public issue.
Steps to reproduce
Proposed resolution
Add try/catch for \Symfony\Component\HttpFoundation\Exception\BadRequestException around these lines in \Drupal\system\MachineNameController::transliterate:
$text = $request->query->get('text');
$langcode = $request->query->get('langcode');
$replace_pattern = $request->query->get('replace_pattern');
$replace_token = $request->query->get('replace_token');
$replace = $request->query->get('replace');
$lowercase = $request->query->get('lowercase');
This is a 10.x only issue as the controller has been removed in 11.x