Some more changes are being made to improve safety and precision when running commands from SciTE.
All properties files included with SciTE now quote path name variables in commands with double quotes so that paths that include spaces (as is common on Windows) or some other special characters work correctly.
For example,
command.build.*.tex=dvips -f $(FileName).dvi > $(FileName).ps
has changed to
command.build.*.tex=dvips -f "$(FileName).dvi" > "$(FileName).ps"
On Unix, it is possible to execute commands inside a string with the `command` or $(command) syntaxes. This can be exploited by distributing a file with a name containing an invocation like doesNot`doEvil`.c and hoping someone runs a compiler or linter on the file through a shell.
To prevent this, SciTE added an unsafe.path.characters property that can be set in user options. It currently defaults to `$\" on Unix and is empty on Windows. For any path that includes any of these characters, SciTE refuses to run commands through shell. Most people never use these characters in file names so this should have little impact but if you want to you can set unsafe.path.characters to empty.
It is also possible to perform Unix shell escaping on commands with the properties escape function like this:
command.go.*.py=py $(escape FileNameExt)
Escaping can be tricky to get just right in some circumstances and unsafe.path.characters is more robust so should be the default strategy here.