Merge remote-tracking branch 'upstream/develop' into 4.5

Author: kenjis

phpstan-baseline.php

@@ -6356,11 +6356,6 @@
 	'count' => 1,
 	'path' => __DIR__ . '/system/HTTP/MessageInterface.php',
 ];
-$ignoreErrors[] = [
-	'message' => '#^Call to function is_array\\(\\) with array will always evaluate to true\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/system/HTTP/Negotiate.php',
-];
 $ignoreErrors[] = [
 	'message' => '#^Method CodeIgniter\\\\HTTP\\\\Negotiate\\:\\:charset\\(\\) has parameter \\$supported with no value type specified in iterable type array\\.$#',
 	'count' => 1,
@@ -7011,11 +7006,6 @@
 	'count' => 1,
 	'path' => __DIR__ . '/system/Helpers/filesystem_helper.php',
 ];
-$ignoreErrors[] = [
-	'message' => '#^Call to function is_array\\(\\) with array will always evaluate to true\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/system/Helpers/form_helper.php',
-];
 $ignoreErrors[] = [
 	'message' => '#^Construct empty\\(\\) is not allowed\\. Use more strict comparison\\.$#',
 	'count' => 1,
@@ -7206,11 +7196,6 @@
 	'count' => 1,
 	'path' => __DIR__ . '/system/Helpers/form_helper.php',
 ];
-$ignoreErrors[] = [
-	'message' => '#^Only booleans are allowed in &&, array given on the right side\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/system/Helpers/form_helper.php',
-];
 $ignoreErrors[] = [
 	'message' => '#^Only booleans are allowed in a negated boolean, int\\<0, max\\> given\\.$#',
 	'count' => 1,

system/Common.php

@@ -432,22 +432,22 @@ function env(string $key, $default = null)
      */
     function esc($data, string $context = 'html', ?string $encoding = null)
     {
+        $context = strtolower($context);
+
+        // Provide a way to NOT escape data since
+        // this could be called automatically by
+        // the View library.
+        if ($context === 'raw') {
+            return $data;
+        }
+
         if (is_array($data)) {
             foreach ($data as &$value) {
                 $value = esc($value, $context);
             }
         }
 
         if (is_string($data)) {
-            $context = strtolower($context);
-
-            // Provide a way to NOT escape data since
-            // this could be called automatically by
-            // the View library.
-            if ($context === 'raw') {
-                return $data;
-            }
-
             if (! in_array($context, ['html', 'js', 'css', 'url', 'attr'], true)) {
                 throw new InvalidArgumentException('Invalid escape context provided.');
             }

system/HTTP/Negotiate.php

@@ -276,7 +276,7 @@ public function parseHeader(string $header): array
     protected function match(array $acceptable, string $supported, bool $enforceTypes = false, $matchLocales = false): bool
     {
         $supported = $this->parseHeader($supported);
-        if (is_array($supported) && count($supported) === 1) {
+        if (count($supported) === 1) {
             $supported = $supported[0];
         }
 

system/Helpers/form_helper.php

@@ -457,10 +457,8 @@ function form_label(string $labelText = '', string $id = '', array $attributes =
             $label .= ' for="' . $id . '"';
         }
 
-        if (is_array($attributes) && $attributes) {
-            foreach ($attributes as $key => $val) {
-                $label .= ' ' . $key . '="' . $val . '"';
-            }
+        foreach ($attributes as $key => $val) {
+            $label .= ' ' . $key . '="' . $val . '"';
         }
 
         return $label . '>' . $labelText . '</label>';

tests/system/CommonFunctionsTest.php

@@ -248,6 +248,27 @@ public function testEscapeBadContextZero(): void
         esc('<script>', '0');
     }
 
+    public function testEscapeArray(): void
+    {
+        $data = [
+            'a' => [
+                'b' => 'c&',
+            ],
+            'd' => 'e>',
+        ];
+        $expected           = $data;
+        $expected['a']['b'] = 'c&amp;';
+        $expected['d']      = 'e&gt;';
+        $this->assertSame($expected, esc($data));
+    }
+
+    public function testEscapeRecursiveArrayRaw(): void
+    {
+        $data      = ['a' => 'b', 'c' => 'd'];
+        $data['e'] = &$data;
+        $this->assertSame($data, esc($data, 'raw'));
+    }
+
     /**
      * @runInSeparateProcess
      * @preserveGlobalState disabled

user_guide_src/source/concepts/factories.rst

@@ -86,17 +86,17 @@ The following code loads **app/Libraries/Sub/SubLib.php** if it exists:
 .. literalinclude:: factories/013.php
    :lines: 2-
 
-Passing Full Qualified Classname
---------------------------------
+Passing Fully Qualified Classname
+---------------------------------
 
-You could also request a full qualified classname:
+You could also request a fully qualified classname:
 
 .. literalinclude:: factories/002.php
    :lines: 2-
 
 It returns the instance of ``Blog\Models\UserModel`` if it exists.
 
-.. note:: Prior to v4.4.0, when you requested a full qualified classname,
+.. note:: Prior to v4.4.0, when you requested a fully qualified classname,
     if you had only ``Blog\Models\UserModel``, the instance would be returned.
     But if you had both ``App\Models\UserModel`` and ``Blog\Models\UserModel``,
     the instance of ``App\Models\UserModel`` would be returned.
@@ -143,7 +143,7 @@ the ``Factories::define()`` method:
 
 The first parameter is a component. The second parameter is a class alias
 (the first parameter to Factories magic static method), and the third parameter
-is the true full qualified classname to be loaded.
+is the true fully qualified classname to be loaded.
 
 After that, if you load ``Myth\Auth\Models\UserModel`` with Factories, the
 ``App\Models\UserModel`` instance will be returned:

user_guide_src/source/tutorial/news_section.rst

@@ -176,7 +176,7 @@ Create **app/Views/news/index.php** and add the next piece of code.
 
 .. literalinclude:: news_section/005.php
 
-.. note:: We are again using using :php:func:`esc()` to help prevent XSS attacks.
+.. note:: We are again using :php:func:`esc()` to help prevent XSS attacks.
     But this time we also passed "url" as a second parameter. That's because
     attack patterns are different depending on the context in which the output
     is used.

user_guide_src/source/tutorial/static_pages.rst

@@ -219,7 +219,7 @@ controller you made above produces...
     | localhost:8080/pages            | the results from the ``index()`` method inside our ``Pages``    |
     |                                 | controller, which is to display the CodeIgniter "welcome" page. |
     +---------------------------------+-----------------------------------------------------------------+
-    | localhost:8080/home             | show the "home" page that you made above, because we explicitly |
+    | localhost:8080/home             | the "home" page that you made above, because we explicitly      |
     |                                 | asked for it. the results from the ``view()`` method inside our |
     |                                 | ``Pages`` controller.                                           |
     +---------------------------------+-----------------------------------------------------------------+