The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.

A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.

The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
shell without sanitization, which could trigger command injection. There is no evidence
that this has been exploited, but this commit removes all possibility for exploit.

Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
shell, also without sanitization. Furthermore, there is also no evidence that this has
been exploited, but with this change it is now impossible.

The `title` function unsafely prints its input without sanitization, which if used
with custom user code that calls it, it could trigger command injection.

The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is
changed in the user's shell environment with a carefully crafted value. This is
highly unlikely to occur (and if possible, other methods would be used instead),
but with this change the exploit of these two functions is now impossible.

The plugin unsafely processes directory paths in pop_past and pop_future.
This commit fixes that.

The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.

Reference: https://github.com/ohmyzsh/ohmyzsh/commit/7f49494#commitcomment-60117011

Fixes #10404

Co-authored-by: Marc Cornellà <hello@mcornella.com>

Apple changed the name of their operating system from OS X to macOS a number of years ago. This was overdue!

As per issue  #10311

* refactor(osx): rename `osx` plugin to `macos`
* refactor(macos): Add symbolic link from old `osx` plugin name.

Closes #8370

Fixes #10350

In recent zsh versions, `${(@ps:$sep:)var}` where $sep is a variable containing
a separator string and $var is a string with multiple values separated by $sep,
the `p` flag makes zsh correctly expand $sep before splitting $var. In versions
older than 5.0.8, this doesn't happen, so we use `eval` to get the same effect.

Fixes #10345

Fixes #8492

Co-authored-by: Marc Cornellà <hello@mcornella.com>

BREAKING CHANGE: all `gem` aliases that started with `g` now start
with `ge` to fix conflicting names with the `git` plugin. Also, the
`ghlp` alias is now renamed `geh`. Have a look at the plugin README
for more information.

Fixes #10320