In MDL-45772 a hack was introduced to some forms to stop browsers from
putting the user's password into password fields in forms unrelated to
logging in.
Chrome now no longer fills the user's password in the first password
field in the page. There now needs to be a plain text input above it
for the username too.
We were previously using an ancient version of html2text from RoundCube
with many customisations.
This patchset moves to the version included in the latest version of
HTML2Text, and wraps the library in a moodle-provided class. This
moves all previous hacks away from that class.
Unfortunately, two hacks still remain - two of the functions in the
RoundCube class are private, and must be modified to protected in order to
use the class effectively.
This lets you programmatically prevent certain filters running on
certain content.
Also, I created some unit tests for the basic format_text functionality
since there did not seem to be any yet.
Instead we will create new MUC caches inside each filter plugin.
Please note that all cache filters should work with local caches
without the need of strict cache invalidation.
List of changes:
* New OOP API using PHP namespace \core\session\.
* All handlers now update the sessions table consistently.
* Experimental DB session support in Oracle.
* Full support for session file handler (filesystem locking required).
* New option for alternative session directory.
* Official memcached session handler support.
* Workaround for memcached version with non-functional gc.
* Improved security - forced session id regeneration.
* Improved compatibility with recent PHP releases.
* Fixed borked CSS during install in debug mode.
* Switched to file based sessions in new installs.
* DB session setting disappears if DB does not support sessions.
* DB session setting disappears if session handler specified in config.php.
* Fast purging of sessions used in request only.
* No legacy distinction - file, database and memcached support the same functionality.
* Session handler name included in performance info.
* Fixed user_loggedin and user_loggedout event triggering.
* Other minor bugfixing and improvements.
* Fixed database session segfault if MUC disposed before $DB.
Limitations:
* Session access time is now updated right after session start.
* Support for $CFG->sessionlockloggedinonly was removed.
* First request does not update userid in sessions table.
* The timeouts may break badly if server hosting forces PHP.ini session settings.
* The session GC is a lot slower, we do not rely on external session timeouts.
* There cannot be any hooks triggered at the session write time.
* File and memcached handlers do not support session lock acquire timeouts.
* Some low level PHP session functions can not be used directly in Moodle code.
