Fix htmlfontify.el command injection vulnerability.

* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability.  (Bug#60295)

Author: lu4nx

lisp/htmlfontify.el

@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))