Yes, of course. Everything that is stored or transmitted must have a defined serialization. And any piece of code as widely used as this is going to have security issues.
What is your point? That strings don't need defined formats? That they have less security issues?
What is your point? That strings don't need defined formats? That they have less security issues?