CLOSES#4665
Tested scenarios:
- site wysiwyg on, html access - result tinymce
- site wysiwyg on, no html access - result bbcodes
- site wysiwyg off, forum wysiwyg on, no html access - result bbcodes
- site wysiwyg off, forum wysiwyg on, html access - result tinymce
It worked like this before too, but bbcodes were always rendered (not visible with tinymce)
`e_parse::toAttributes()` is an expansion of the formerly private method
`e_form::attributes()`. Now, all client code can use
`e_parse::toAttributes()` to make it easy to concatenate variable-length
HTML attributes. Values are guaranteed to be encoded so that they cannot
escape an HTML attribute value.
All client code usages are encouraged to build HTML tags with this new
method to prevent cross-site scripting (XSS) attacks and prevent
breaking the HTML validity due to improperly escaped HTML attributes.
This new method is an extension to `e_parse::toAttribute()`, which
escaped one single HTML attribute value.
The result is a much more consistent form experience with less fear that
some values put into an `e_form` method will break the web page.
This commit covers the most common uses of `e_form` with HTML attribute
quoting via `e_form::attributes()`.
* `strftime()` has been replaced with a polyfill based on `DateTime`.
* Explicit type casts/assertions added where required by PHP 8.1
* `filter_var(…, FILTER_SANITIZE_STRING)` replaced with `strip_tags()`
or HTML entity encoding of quotation marks, depending on a guess of
what the intended "sanitization" was
* `http_build_query()` usage type mismatches fixed
* Removed usages of the `FILE_TEXT` constant
* To avoid breaking PHP 5.6 compatibility (function return types),
`e_session_db` no longer implements `SessionHandlerInterface`.
Instead, the alternative non-OOP invocation of
`session_set_save_handler()` is used instead to apply the session
handler.
* The shim for `strptime()` still calls the native function if available
but now suppresses the deprecation warning.
* `e_db_pdo` explicitly asks for `PDO::ATTR_STRINGIFY_FETCHES` to
maintain consistent behavior with past versions of PHP.
* `e_db_mysql` explicitly sets `mysqli_report(MYSQLI_REPORT_OFF)` to
maintain consistent behavior with past versions of PHP.
* Removed pointless random number generator seed from `banner` plugin
* Workaround for `COUNT(*)` SQL query in
`validatorClass::dbValidateArray()` without a proper API for avoiding
SQL injection
