SECURITY: disable user entered badge SQL by default

- Hidden site settings now must be change via rails console

spec/controllers/admin/site_settings_controller_spec.rb

@@ -46,6 +46,13 @@ describe Admin::SiteSettingsController do
         xhr :put, :update, id: 'test_setting', test_setting: 'hello'
       end
 
+      it 'does not allow changing of hidden settings' do
+        SiteSetting.setting(:hidden_setting, "hidden", hidden: true)
+        result = xhr :put, :update, id: 'hidden_setting', hidden_setting: 'not allowed'
+        expect(SiteSetting.hidden_setting).to eq("hidden")
+        expect(result.status).to eq(422)
+      end
+
       it 'fails when a setting does not exist' do
         expect {
           xhr :put, :update, id: 'provider', provider: 'gotcha'