`e_parse::toJS()`, documented with the description
> Convert text blocks which are to be embedded within JS
, does not protect strings from injections, which appears to be its
primary use. Additionally, it performs multiple unrelated string
modifications:
* Replace Windows line breaks with a literal `\\n` (which would later be
parsed as `\n` in JavaScript/JSON)
* Does not modify Unix line breaks (`\n`), which is inconsistent with
the Windows line break behavior
* Removes HTML tags
* Replaces HTML entities as `htmlentities()` does
This method cannot be fixed because its usages are inconsistent. Most
notably, some usages surround the method's output in single quotes while
others surround it with double quotes. Strings cannot be JSON-encoded
without confounding quotation mark styles.
All core usages of `e_parse::toJS()` have been replaced with
alternatives, which are also documented in the method's DocBlock.
Fixes: #4546
