Abandon `escape_hazard()` - Replace with heredoc expansion

[TinCanTech]

escape_hazard() is completely pointless ...

As good as escape_hazard() intention may be, it does not solve the problem with unescaped $ char. The key issue is that set_var() uses eval, which introduces a second layer of shell expansion for variable assignment. And it is set_var() that assigns and expands variables before escape_hazard() can attempt to make irrelevant changes.

This leads to one inevitable conclusion:

• Easy-RSA vars file cannot use standard escaping rules for $ char.

Instead, escaping must be done depending on the desired result.

For a stand alone $, surrounded by spaces, eg: [[:blank:]]$[[:blank:]], no escaping is required. Stand alone $ remains unexpanded.

For any other combination, the most likely solution is to introduce a second layer of escaping, like so: 123\\\$abc. This preserves the escaped $ for set_var() to use. The vars file would be set as:

set_var EASYRSA_REQ_OU "\\\$My-Strange-name-OU\\\$foo"

Which would set EASYRSA_REQ_OU to $My-Strange-name-OU$foo

[TinCanTech]

This problem does not effect any password variables.

CA password can use unescaped $. Default in v3.2.0, requires option --raw-ca in v3.1.7.

All other passwords are either entered directly into the SSL library executing or use standard shell escaping rules.

For Easy-RSA options --passin/--passout, use of $ MUST be escaped, using standard shell escaping rules. Easy-RSA does not allow passwords to be set in the vars file, so they are not subject to set_var() escaping rules.