fix possible XSS
https://www.openbugbounty.org/reports/2315738/
__prefix__ was substituted with decoded URL and could be hijacked with a
crafted query parameter. Now the urlencoded variant is used, the decoded
variant is only left to calculate the string size.
use Text::Markdown::Discount if possible
expose hidden subdirs if hit
strip extension in all path components
fix multiple _ in filename
fix Markdown vs. markdown
default $menulevel=1 and fix empty <ul></ul>
pprefix in $template, too
subst prefix and pprefix ($abs) even in $content
avoid uninitialized value $pagetitle
take length of appended QUERY_STRING in count