`e_parse::toJS()`, documented with the description
> Convert text blocks which are to be embedded within JS
, does not protect strings from injections, which appears to be its
primary use. Additionally, it performs multiple unrelated string
modifications:
* Replace Windows line breaks with a literal `\\n` (which would later be
parsed as `\n` in JavaScript/JSON)
* Does not modify Unix line breaks (`\n`), which is inconsistent with
the Windows line break behavior
* Removes HTML tags
* Replaces HTML entities as `htmlentities()` does
This method cannot be fixed because its usages are inconsistent. Most
notably, some usages surround the method's output in single quotes while
others surround it with double quotes. Strings cannot be JSON-encoded
without confounding quotation mark styles.
All core usages of `e_parse::toJS()` have been replaced with
alternatives, which are also documented in the method's DocBlock.
Fixes: #4546
- Moved away from e107_admin/message.php to its own place in the Downloads admin area.
- Notification of broken downloads now controlled by e_notify (see Admin Area > Settings > Notify)
- Updated notification message
- Added e_dashboard addon to show latest status on broken download reports
- MOD: Refactored NGINX secure_link_md5 decorator into interface and
class in Downloads plugin
- NEW: Downloads plugin: Admin preferences UX improvement:
Preferences >> Protection now shows the user a list of
supported NGINX variables pulled from
NginxSecureLinkMd5Decorator
- NEW: "Protection" section in Downloads >> Preferences
- NEW: Basic support for NGINX secure_link_md5 in Downloads plugin
- NEW: When configured with a URL protection mode, Downloads will
modify the direct download URL and/or the mirror download URL
to be compatible with the implemented URL protection
Fixes: #3075
