Query security improvements.

  - Fail faster on disallowed character detection.
  - Fail at function creation instead of code execution on syntax error by using function constructor instead of eval.
  - Add square brackets to disallowed characters. As far as I can see, [esoteric](http://www.businessinfo.co.uk/labs/talk/Nonalpha.pdf) [approaches](http://slides.com/sylvainpv/xchars-js/) to writing non-alphanumeric JavaScript were already being thwarted by disallowing the plus sign, semicolon, etc., but there’s no harm in removing these also as subscript syntax is powerful in JavaScript.
  - Add a few more tests.
This tag has no release notes.