Item13484: Fix template syntax, and a taint issue

NatEditPlugin/templates/edit.natedit.tmpl

@@ -45,7 +45,7 @@
 <input type="hidden" name="action_checkpoint" value="" />
 <input type="hidden" name="action_preview" value="" />
 <input type="hidden" name="action_replaceform" value="" />
-<input type="hidden" name="editaction" value=%IF{"$'action'='form'" then="form" else=""}% />
+<input type="hidden" name="editaction" value="%IF{"$'action'='form'" then="form" else=""}%" />
 <input type="hidden" name="action_save" value="" />%TMPL:END%
 
 %TMPL:DEF{"textarea"}%<textarea id="topic" class="foswikiTextarea foswikiWysiwygEdit natedit" data-rest-params="?%NONCE%" data-auto-max-expand="true" data-min-height="230" data-min-height="300" %TMPL:P{"natedit::options"}% name="text">%TEXT%</textarea>%TMPL:END%

core/lib/Foswiki/UI/Edit.pm

@@ -53,7 +53,9 @@ sub init_edit {
 
     # empty means edit both form and text, "form" means edit form only,
     # "text" means edit text only
-    my $editaction = lc( $query->param('action') || '' );
+    my $editaction = $query->param('action') || '';
+    $editaction =~ m/^(form|text)$/i;
+    $editaction = lc( $1 || '' );
 
     my $adminCmd   = $query->param('cmd')        || '';
     my $redirectTo = $query->param('redirectto') || '';