Suggest and use less -U when showing script for review

[dgl]

Without -U it is possible to use characters like backspace (^H) to hide the real script.

For example:

$ printf '#!/bin/sh\necho i am evil #\b\b\b\b\b\b\b\b\b\b\bhello world\n' > evil.sh
$ less evil.sh
[shows "hello world"]
$ sh evil.sh
i am evil

(I've previously covered some of this in research like https://dgl.cx/term. There's no security reporting instructions in the repo, so I'm reporting publicly with a fix, as this doesn't seem critical.)

[dgl]

Note I've just used less -U here, it would be nice to expand tabs, but that would require version detection for less or something, see gwsw/less#335.

[dgl]

See also https://news.ycombinator.com/item?id=44671221 and https://github.com/jwilk/unfaithful-less for a more elaborate demo of confusing less.

[lykhvar]

Thanks for your contribution — the fix is spot-on. I'm merging this right away.

Regarding tab expansion, I've opened issue #26 to track your suggestion — we can continue the discussion there.