Basically, it must follow RFC 6266: "Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)"
https://tools.ietf.org/html/rfc6266#section-5

Proposal (2023-04-29 updated requirement text and added alternative category):

• Category: V12.5 "File and Resources > File Download" OR "V5.3 Output Encoding and Injection Prevention"
• Verify that when Content-Disposition header is used then filename and filename* attribute values are correctly sanitized and encoded.
• Level: 1, 2, 3
• CWE: ?
  • CWE-172 - CWE-172: Encoding Error

Note: Content-Disposition header may be used with attachment or inline, so we can not limit requirement text only for "download file" functionality.

Why: if not converted correctly, it may give "header injection" possibility

Something like that (even this one is for mails):

• GHSA-f7hx-fqxw-rvvj

Update:

• filename - only characters from ISO-8859-1 can be used, value bust be sanitized
• filename* - can be presented in chosen charset (utf-8) and need to be: sanitized + encoded to charset + urlencoded