Add explicit notes to the comments in the hook templates stating the fact that
the argument values should always be "$QUOTED" in the hook script.
This is especially important for the PROPNAME arguments to the revprop
change scripts, which are essentially passed through blindly from the
client. (There is a *client-side* validity check, which is
irrelevant, and a check that it isn't an svn:wc: or svn:entry: prop;
and perhaps mod_dav_svn imposes other restrictions that I'm not
familiar with, but at least with svnserve a custom RA-driving client
could totally set the "foo; rm -rf /;" property.
Bug
Major