Changes with Apache 1.3.35

*) SECURITY: CVE-2005-3352 (cve.mitre.org)

mod_imap: Escape untrusted referer header before outputting in HTML

to avoid potential cross-site scripting. Change also made to

ap_escape_html so we escape quotes. Reported by JPCERT.

[Mark Cox]

*) core: Allow usage of the "Include" configuration directive within

previously "Include"d files. [Colm MacCarthaigh]

*) HTML-escape the Expect error message. Not classed as security as

an attacker has no way to influence the Expect header a victim will

send to a target site. Reported by Thiago Zaninotti

. [Mark Cox]

*) mod_cgi: Remove block on OPTIONS method so that scripts can

respond to OPTIONS directly rather than via server default.

[Roy Fielding] PR 15242