Improve detection of restricted expression execution scenarios

[danielfernandez]

The use of Character.isJavaIdentifierPart() as a way to signal delimiters of SpringEL's static execution expressions could allow for the bypassing of the restricted mode checks in very specific scenarios (view names returned by controller methods created by appending a fixed string literal representing a template name and an unfiltered, unvalidated request parameters as a fragment specification).

This is related CVE-2021-43466, though not the same.

Thanks and credit to @ceclin (Cecil Lin) for finding and properly reporting this.

[danielfernandez]

Thymeleaf 3.0.14.RELEASE has been already published.