Looking at the commit, I would say that all (ok, most) legit custom components will be fine. It seems to be protecting against a custom component do a few select (suspicious) things. This is the tests for the new security logic, anything matching would be flagged:
("/", {"test": "/test/../../api"}),
("/", {"test": "test/../../api"}),
("/", {"sql": ";UNION SELECT (a, b"}),
("/", {"sql": "concat(..."}),
("/", {"xss": "<script >"}),
And even then, it throws a warning, and kills only the bad request it seems:
if FILTERS.search(request.raw_path):
_LOGGER.warning(
"Filtered a potential harmful request to: %s", request.raw_path
)
raise HTTPBadRequest