CLOSES#4665
Tested scenarios:
- site wysiwyg on, html access - result tinymce
- site wysiwyg on, no html access - result bbcodes
- site wysiwyg off, forum wysiwyg on, no html access - result bbcodes
- site wysiwyg off, forum wysiwyg on, html access - result tinymce
It worked like this before too, but bbcodes were always rendered (not visible with tinymce)
`e_parse::toAttributes()` is an expansion of the formerly private method
`e_form::attributes()`. Now, all client code can use
`e_parse::toAttributes()` to make it easy to concatenate variable-length
HTML attributes. Values are guaranteed to be encoded so that they cannot
escape an HTML attribute value.
All client code usages are encouraged to build HTML tags with this new
method to prevent cross-site scripting (XSS) attacks and prevent
breaking the HTML validity due to improperly escaped HTML attributes.
This new method is an extension to `e_parse::toAttribute()`, which
escaped one single HTML attribute value.
I guessed the `filter_var(…, FILTER_SANITIZE_STRING)` intention
mentioned in 20882920a0b68937570264949512acc0c4841dbd. I guessed wrong.
This fixes the guess to be just HTML tag removal.
Fixes: https://github.com/e107inc/e107/issues/4661
The result is a much more consistent form experience with less fear that
some values put into an `e_form` method will break the web page.
This commit covers the most common uses of `e_form` with HTML attribute
quoting via `e_form::attributes()`.
* `strftime()` has been replaced with a polyfill based on `DateTime`.
* Explicit type casts/assertions added where required by PHP 8.1
* `filter_var(…, FILTER_SANITIZE_STRING)` replaced with `strip_tags()`
or HTML entity encoding of quotation marks, depending on a guess of
what the intended "sanitization" was
* `http_build_query()` usage type mismatches fixed
* Removed usages of the `FILE_TEXT` constant
* To avoid breaking PHP 5.6 compatibility (function return types),
`e_session_db` no longer implements `SessionHandlerInterface`.
Instead, the alternative non-OOP invocation of
`session_set_save_handler()` is used instead to apply the session
handler.
* The shim for `strptime()` still calls the native function if available
but now suppresses the deprecation warning.
* `e_db_pdo` explicitly asks for `PDO::ATTR_STRINGIFY_FETCHES` to
maintain consistent behavior with past versions of PHP.
* `e_db_mysql` explicitly sets `mysqli_report(MYSQLI_REPORT_OFF)` to
maintain consistent behavior with past versions of PHP.
* Removed pointless random number generator seed from `banner` plugin
* Workaround for `COUNT(*)` SQL query in
`validatorClass::dbValidateArray()` without a proper API for avoiding
SQL injection
`e_parse::toJS()`, documented with the description
> Convert text blocks which are to be embedded within JS
, does not protect strings from injections, which appears to be its
primary use. Additionally, it performs multiple unrelated string
modifications:
* Replace Windows line breaks with a literal `\\n` (which would later be
parsed as `\n` in JavaScript/JSON)
* Does not modify Unix line breaks (`\n`), which is inconsistent with
the Windows line break behavior
* Removes HTML tags
* Replaces HTML entities as `htmlentities()` does
This method cannot be fixed because its usages are inconsistent. Most
notably, some usages surround the method's output in single quotes while
others surround it with double quotes. Strings cannot be JSON-encoded
without confounding quotation mark styles.
All core usages of `e_parse::toJS()` have been replaced with
alternatives, which are also documented in the method's DocBlock.
Fixes: #4546
