How can I send '#' special character to the controller when xss filter is on?

To Dear Experts.

Most of recent e-commerce site support special charactor '#' in password field.

If I set 'xss.filter.enabled=false', then customers can use '#' special character in password field in hybris(SAP Customer Experience) .

But for security reasons, our team have to set 'xss.filter.enabled=true'.

What class or xss.filter.rule do remove '#' character from parameters?

How can I send '#' special character to controller when xss filter is on?

I'm going to try excluding specific filter using filterConfig, but I don't know what specific filter removes '#' character.

I read several threads already, but I coundn't find the clear answer yet.

1. https://answers.sap.com/questions/12758960/view.html

2. https://answers.sap.com/questions/12722914/bug-in-username-login-page-hybris-version-68.html

3. https://hybrismart.com/2018/04/14/five-things-about-sap-hybris-you-probably-didnt-know/

Thank you for taking the time to read this thread :)

Have a nice weekend!