See also similar issue with quoting when call alerts scripts: ZBX-4529

Steps to reproduce:

1. Setup zabbix from official repo
2. Write external script to handle zabbix events, place it on zabbix server
3. Create action in zabbix UI with one of Operations Steps "remote command on zabbix server" (see attached screenshot). Pass some macros to this remote command, for example, {ITEM.VALUE2}. You may either quote macroses/args with single or double quote.
4. Make this action run several times with values of {ITEM.VALUE2} either with one single quote, with one double quote character.
5. Lookup for action success or failure with different values of this particular macro (in Reports->Action log).

Result:

Sometimes action is failed (when {ITEM.VALUE2} contain single quote if arg is single quoted in remote command, and when it contain double quote if arg is double quoted). See attached screenshot (where value single quoted and result of httptest contains single quote in output). Result is error message from "sh".

Expected:
It is expected that either single or double quote characters will be escaped in macro values when it is passed to remote command, so no shell misquoting problem arises.

Note that macro values not always under control of zabbix server administrator and now (in 4.4.3) external attacker may manipulate acquired data to inject malicious shell code in remote command and execute it in context of zabbix server user.