`e_parse::toAttributes()` is an expansion of the formerly private method
`e_form::attributes()`. Now, all client code can use
`e_parse::toAttributes()` to make it easy to concatenate variable-length
HTML attributes. Values are guaranteed to be encoded so that they cannot
escape an HTML attribute value.
All client code usages are encouraged to build HTML tags with this new
method to prevent cross-site scripting (XSS) attacks and prevent
breaking the HTML validity due to improperly escaped HTML attributes.
This new method is an extension to `e_parse::toAttribute()`, which
escaped one single HTML attribute value.
Fixes regression from 20882920a0b68937570264949512acc0c4841dbd where
data would get inserted into the database with literal quotation marks,
but e107 has always expected `"` and `'` to come directly from
the database
`e_parse::toJS()`, documented with the description
> Convert text blocks which are to be embedded within JS
, does not protect strings from injections, which appears to be its
primary use. Additionally, it performs multiple unrelated string
modifications:
* Replace Windows line breaks with a literal `\\n` (which would later be
parsed as `\n` in JavaScript/JSON)
* Does not modify Unix line breaks (`\n`), which is inconsistent with
the Windows line break behavior
* Removes HTML tags
* Replaces HTML entities as `htmlentities()` does
This method cannot be fixed because its usages are inconsistent. Most
notably, some usages surround the method's output in single quotes while
others surround it with double quotes. Strings cannot be JSON-encoded
without confounding quotation mark styles.
All core usages of `e_parse::toJS()` have been replaced with
alternatives, which are also documented in the method's DocBlock.
Fixes: #4546
* `strftime()` has been replaced with a polyfill based on `DateTime`.
* Explicit type casts/assertions added where required by PHP 8.1
* `filter_var(…, FILTER_SANITIZE_STRING)` replaced with `strip_tags()`
or HTML entity encoding of quotation marks, depending on a guess of
what the intended "sanitization" was
* `http_build_query()` usage type mismatches fixed
* Removed usages of the `FILE_TEXT` constant
* To avoid breaking PHP 5.6 compatibility (function return types),
`e_session_db` no longer implements `SessionHandlerInterface`.
Instead, the alternative non-OOP invocation of
`session_set_save_handler()` is used instead to apply the session
handler.
* The shim for `strptime()` still calls the native function if available
but now suppresses the deprecation warning.
* `e_db_pdo` explicitly asks for `PDO::ATTR_STRINGIFY_FETCHES` to
maintain consistent behavior with past versions of PHP.
* `e_db_mysql` explicitly sets `mysqli_report(MYSQLI_REPORT_OFF)` to
maintain consistent behavior with past versions of PHP.
* Removed pointless random number generator seed from `banner` plugin
* Workaround for `COUNT(*)` SQL query in
`validatorClass::dbValidateArray()` without a proper API for avoiding
SQL injection
