Make user aware of the risk of using qqx (#3696)

* Add `qqx` example to warn user about the possiblity of arbitrary code
execution

* * Add `qqx` section in traps
* warns user about `qqx` in quoting

* Fix Typos

Author: hythm7

doc/Language/quoting.pod6

@@ -513,6 +513,8 @@ Again, the output of the external command can be kept in a variable:
     # runs the command: grep -i cool /usr/share/dict/words
     say $output;      # OUTPUT: «Cooley␤Cooley's␤Coolidge␤Coolidge's␤cool␤...»
 
+Be aware of the content of the Raku variable used within an external command; malicious content can be used to execute arbitrary code. See L<C<qqx> traps|/language/traps/Beware_of_variables_used_within_qqx>
+
 See also L<run|/routine/run> and L<Proc::Async|/type/Proc::Async> for
 better ways to execute external commands.
 

doc/Language/traps.pod6

@@ -644,6 +644,17 @@ my $a = 1;
 say Q:c«{$a}()$b()»;
 # OUTPUT: «1()$b()␤»
 
+=head2 Beware of variables used within C<qqx>
+
+Variables within C<qqx[]> can introduce a security hole; the variable content can be set to well-crafted string and execute arbitrary code:
+
+=for code
+my $world = "there\";rm -rf /path/to/dir\"";
+say qqx{echo "hello $world"};
+# OUTPUT: «hello there␤»
+
+The above code will also delete I</path/to/dir>, you can avoid this problem by making sure the variable content does not have shell special characters, or use L<run|/routine/run> and L<Proc::Async|/type/Proc::Async> for better ways to execute external commands.
+
 =head2 Strings are not iterable
 
 There are methods that L<Str|/type/Str> inherits from L<Any|/type/Any> that work