Disallow calling "helperMissing" and "blockHelperMissing" directly

[nknapp]

The recent remote-code-execution exploits where misusing the helper blockHelperMissing in order to call methods from object prototypes that actually should not have been called.

The helpers "helperMissing" and "blockHelperMissing" are not meant to be called directly as in

{{helperMissing}}
{{#helperMissing}}{{/helperMissing}}
{{blockHelperMissing arg}}
{{#blockHelperMissing arg}}{{/blockHelperMissing}}

We can offer a flag that allows execution in case someone really wants it, but the default will be not to allow this.

Note that although calling {{helperMissing}} from the template is not part of the documented API and I assume it makes no sense other then to build an exploit. From this point of view this is not a breaking change an will result in a minor version update only (because of the feature flag).

Even though it is not documented, I would rather try to maintain compatibility here, but since this a security-relevant change I will not do that in this case.