This addresses an issue where client side column sorting does not work at
all. This is due to the if/else statement that checks for a REQUEST sort
order and if the REQUEST sort order matches an `$orderWays` array value. The
if statement returns TRUE for DESC and sets the sort order to DESC as it
equals '-' (a dash) but ASC equals '' (an empty string) so it returns FALSE
which fails-over to the else statement setting the sort order to DESC. In
addition, this adds sorting icons the the column headers to make it more
obvious they are sortable.

This addresses an issue introduced with a3d896c8 where TextThreadEntryBodies
are not keeping their new line characters causing the email format to appear
wonky. This balances the entry and then htmlchars it to ensure no XSS.

This addresses an issue where disabling Ticket Locks but setting a time
for the Lock Timeout will always throw a "lock required" error. This adds
a check to see if locks are enabled AND there is a time set. If locks are
disabled it will not throw the error.

This addresses issue 4329 where you can import a User with no email
address via CSV file. Once the User is added and you try to update them
with an email address it fails due to no default email. This updates the
check for email address from `!isset()` to `empty()` which will correctly
check for empty string.

This addresses an issue where osTicket did not ensure associated items exist
before saving to the database. This also addresses an issue where the Parent
Topic error was not displayed on page.

It may be possible to steal or manipulate customer session and cookies,
which might be used to impersonate a legitimate user, allowing the hacker to
view or alter user records, and to perform transactions as that user.
Sanitation of hazardous characters was not performed correctly on user
input.

osTicket did not properly sanitize array values in `Format::htmlchars()`.
Some values in the Admin Interface were not properly sanitized and returned
to the response.

This addresses issue 4322 where deploying via CLI is missing
`bootstrap.php`. This is due to the `get_include_dir()` function that
tries to include a file from the destination which doesn’t exist yet,
causing a fatal error. This updates the function to use `$this->source`
instead of `$this->destination` to correctly find and include
`bootstrap.php`.

This addresses issue 4325 where the Language Pack Locales are mismatched.
The Locale for the first language is displayed on the second language,
etc. This updates the `$manifest` variable to be set before we display
data so the correct `MANIFEST` file is included and all language data is
displayed correctly.

This addresses an issue on the Forums where the Auto-Assignment Thread
Event (configurable via Help Topic) uses the Email of the User rather than
the User’s Name. This adds the correct function to retrieve the User’s
Name if the User has an Account.

Some fix for PHP 7,2 https://github.com/osTicket/osTicket/issues/4237

Some fix for PHP 7.2 support https://github.com/osTicket/osTicket/issues/4237

This addresses an issue on the forums where the query to determine the
size of the `file_chunk` table is making the page load really slow for
people with large tables. This updates the query to improve the
performance of the page load time.

This addresses a vulnerability where there was no `X-Frame-Options` header
which could potentially allow click jacking. This adds the
`X-Frame-Options: SAMEORIGIN` header so it will remove any chance of click
jacking. According to Mozilla Developer Docs:
```
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page
itself.
```

This addresses the issue where files were being deleted before being sent
out in Agent responses. This was due to a bug in the query that gets the
orphaned files. This query was getting files created within the last 24
hours not after the last 24 hours. The query also had another bug that
would use the time from PHP instead of MySQL which could cause issues.
This updates the query as per @greezybacon's suggestions to delete
orphaned files that were created more than 24 hours ago.

This fixes an error where the ModelInstanceManager maintained a reference to
the QuerySet instance, and the QuerySet instance managed a reference to the
ModelInstanceManager instance (if it's the iterator for the query). Because
of the circular reference, if the iterator is not exhausted, then the
resource is not closed and the query remains open. This wastes memory and
prevents some other queries from running after such a situation happens.

This addresses the issue by removing the circular reference between the
QuerySet and the ModelInstanceManager.

This addresses an issue where the Upgrader will sometimes use an outdated
cached object and throw an error. This adds a the function to clear the
Model Cache every time the Upgrader runs an Upgrade Patch to get fresh
objects.

This addresses an issue where the User’s account status is always 'Active'
in the Organization list no matter what their actual status is. This adds the
account status to the user query which adds the correct status to the Users’
account.

This addresses an issue where Outlook adds weird (and seemingly random)
_MailEndCompose tags to the email body which turns unwanted content into
links. This adds the _MailEndCompose tag to Format::sanitize() so it
will be removed from the email body.

This addresses an issue where you can exploit XSS in the help-topic AJAX
request. This adds a check for a refferal URL and if none it will return
a 403 Forbidden Response.

This addresses an issue where the CSRF Token is displayed in the URL
when you preform a search in the Users Tab. This removes the token from the
request which removes it from the URL.

This addresses an issue where the 'DISABLE_AUTHENTICATOR' args were not
properly added to the `imap_open` params. This changes the `+=` operator
to `array_merge()` to successufully add the params.

This addresses a vulnerability where an Agent can perform XSS via the
Agent Directory’s REQUEST query string. This sanitizes the request params
so the code will be escaped and not executed in the browser.

This addresses an issue where some Vimeo videos are not being sent in
Agent’s responses. This adds `player.vimeo` to the sanitize method’s
iframe section so that the iframe tag is not stripped.

Don't display the Close Task option if the current user can't close it...

This addresses an issue where the `randNumber()` function would crash on
32-Bit systems if the ticket format was set to a really high amount of
digits (eg. ###################). This is because the `max()` value that
was being passed to `mt_rand()` exceeded the `mt_getrandmax()` limit which
caused an error. This updates the function to generate a random number for
each digit to avoid the `mt_getrandmax()` limit.

This addresses an issue where the Help Text for Section Break fields does
not display custom Redactor styling correctly. Instead of displaying the
properly formatted Redactor content with it's styling it displays the
entire html for the Redactor content. This was due to the format method
used for the Section Break Field's Help Text. This updates the method from
`Format::htmlchars()` to `Format::display()` which displays the properly
formatted content. The content is also sanitized by `Format::sanitize()`
before saving to the database to avoid any chance of XSS.

This addresses an issue where someone can bypass the file restrictions on
the file upload field in the Client Portal. This adds the allowed
extensions and file types to the field options so that User’s cannot
upload anything other than the allowed file types.

This addresses issue 4015 where osTicket’s cookies aren’t HttpOnly by
default. The HttpOnly flag helps prevent client scripts accessing the
cookie. This updates the method that sets the cookie params to include
the HttpOnly flag.

Encode html entities of cached form data

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.

Extend this to exclude image files that are injectable from opening in browser windows.

This addresses an issue where updating a Task does not change the
`updated` column in the database. This adds a line to change the `update`
column when updating a Task.

This addresses issue 3782 where clicking Print on a Task gives you a blank
popup that hangs. This is because the Print button was being treated as a
Task action when it is actually not one. This adds a ternary operator to
give the proper Task Actions the `task-action` class and gives the Print
button no class.

This addresses issue 3815 where searching by User's phone number doesn't
work in v1.10. This adds phone number search capabilities for the User
Directory and User Search popup in v1.10.

This addresses an issue where expired sessions would not be removed from
the database. This caused the session table to fill up and create
unnecessary issues. This adds a cleanup method to remove all expired
sessions from the database.

This addresses issue where upon deletion of a form field and all its
entry values, the field record wouldn't be deleted from the `form_field`
table. This links another issue where you can't delete a list if its
been a field before. This is due to the list delete() function that
checks for list field records in the `form_field` table.

This is necessary to force a particular timezone on a DateTimeField entry.
If timezone is not set then user's timezone is assumed.