File xterm-forbid_window_and_font_ops.patch of Package xterm

# forbid dangerous escape sequences (font loading)

diff --git a/XTerm.ad b/XTerm.ad
--- a/XTerm.ad
+++ b/XTerm.ad
@@ -262,16 +262,21 @@
 !*faceSize: 8
 
 ! Here is a pattern that is useful for double-clicking on a URL:
 !*charClass: 33:48,35:48,37-38:48,43-47:48,58:48,61:48,63-64:48,95:48,126:48
 !
 ! Alternatively,
 !*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./=?@_~-]|(%[[:xdigit:]][[:xdigit:]]))+
 
+! Security: Disallow operations that might allow raw text being pasted to xterm to
+! execute code.
+*allowWindowOps:	false
+*allowFontOps:		false
+
 !! We want a 8bit clean xterm
 *eightBitInput:        true
 *eightBitOutput:       true
 
 !! Default Settings
 *termName:             xterm
 *pointerShape:         top_left_arrow
 *scrollKey:            true
diff --git a/xterm.man b/xterm.man
--- a/xterm.man
+++ b/xterm.man
@@ -1992,17 +1992,17 @@ The default is \*(``false\*(''.
 .TP
 .B "allowColorOps\fP (class\fB AllowColorOps\fP)"
 Specifies whether control sequences that set/query the dynamic colors should be allowed.
 ANSI colors are unaffected by this resource setting.
 The default is \*(``true\*(''.
 .TP
 .B "allowFontOps\fP (class\fB AllowFontOps\fP)"
 Specifies whether control sequences that set/query the font should be allowed.
-The default is \*(``true\*(''.
+The default is \*(``false\*(''.
 .TP 8
 .B "allowPasteControls\fP (class\fB AllowPasteControls\fP)"
 If true, allow control characters such as BEL and CAN to be pasted.
 Formatting characters (tab, newline) are always allowed.
 Other C0 control characters are suppressed unless this resource is enabled.
 The exact set of control characters (C0 and C1)
 depends upon whether UTF-8 encoding is used,
 as well as the \fBallowC1Printable\fP resource.