Add option to use -dsafe argument in Lilypond command
This change makes the -dsafe argument from the Lilypond command
optional, to be disabled through the use of $wgScoreSafeMode. As now it
can be disabled, the README recommends the use of a jail/Firejail
before doing so. This change would allow Lilypond to be more flexible,
including the use of variables, and more customizations to the score,
while preventing the execution of malicious code
This change resolves T171372 and its subtasks, even though the subtasks
appear to be unrelated. The were nonetheless all caused by the very
restrictive safe argument, of which Firejail supersedes.
Two related patches I5a0579b0e and I011db0e9a will enable Firejail in
Wikimedia wikis. This should not be merged until the two other patches
have come through.