GitLab

# Conflicts:
#	mockup/inputmodeswitcher.html

# Conflicts:
#	mockup/inputmodeswitcher.html

Renamed two bat files - makes trouble if they are send by email - will be blocked, even if they are inside of a zip.

Implemented defaultEscapeType. configurable via config.qfq.ini (global) and per Form.
Implemented max GET parameter lenght. Default: 50. BTW: in phpunit test there have been a parameter 'file' which exceeds the limit of 32.

Config.qfq: Skip empty variable names - happens in phpunit tests. Read new `systemEscapeTypeDefault`.
Constants.php: renamed  TOKEN_LDAP_ESCAPE_* to TOKEN_ESCAPE_LDAP_*. Add TOKEN_ESCAPE_MYSQL, TOKEN_ESCAPE_NONE
Database.php: Set charset to real_escape_string() functions properly. Proxy for mysqli::real_escape_string()
Evaluate.php: Respect global escapeTypeDefault. Implement
formEditor.sql: add column `escapeTypeDefault`. Add FormElement 'escapeTypeDefault'.

Manual.rst: small abstract about implemented security enhancements in QFQ.
Sanatize.php: New function urlDecodeArr(). Decode all _GET vars.
AbstractBuildForm.php, BuildFormBootstrap.php: form head now contains the honeypot vars.

Fix from BB seems to help in 90%: window.onblur().
QuickFormQuery.php: Add 'windows.onblur'

Config.php: Defaults are now set in Config.php, not in Store.php anymore. New function setDefaults(), checkForAttack().

Play: ALTER TABLE  `FormElement` ADD  `encode` ENUM(  'none',  'specialchar' ) NOT NULL DEFAULT  'specialchar' AFTER  `subrecordOption` ;
Play: formEditor.sql

Attention: FEs with text=editor needs actions - the default of 'specialchar' prohibits saving of HTML tags.

FillStoreForm.php: Submitted values will be specialchars() before copying to STORE_FORM.
AbstractBuildForm.php: Counterpart of FillStoreForm.php - will htmlspecialchars_decode() values read from database. Replace 'checkType' and 'checkPattern' with CONSTANTS.
formEditor.sql: Added new column in FormElement. Add new FormElement 'encode' in FormElement-Editor. Add column 'encode' to all FormElement records.

Store.php: fillStoreClient now htmlentities() the $_SERVER array.

Manual.rst: Cleanup doc for wkhtmltopdf. Remove all references to excel export. Add best practice for 'export area' (IP based restriction).

Handling of filenames in Zip's optimized. Spoken filename (no cryptic tempnames anymore). Correct filename extension, based on the mimetype.

Manual.rst: updated doc for columns  _pPdf,_zZip, _fFile. Remove doc for '_dDownload'.
Download.php: new function targetFilenameExtension(). Replace cryptic temporary filenames against file-1, ...
Link.php: reorder param array, to make TOKEN_DOWNLOAD position independet
Report.php: Implemented _pPdf,_zZip, _fFile.

 QucikFormQuery.php: Update default text.

Link.php: If there is no output filename defined, the default is now computed in Download.php, not in Link.php as before.
Download.php: Extract filename extension from mimetype, compare it with output filename, if it does not match, append the computed extension. This forces the filemanager to open the correct application after download.