Reviewed-by: JediKev <kevin@enhancesoft.com>

Issue: manage.php file migrate fails when files have size=0

Last one I promise ;) This addresses the sizing issue of the logo in the
`README.md` file.

issue: README.md osTicket Logo

This adds the osTicket logo to the `images/` folder so that we don't have to
reference a URL that might change in the future. In addition this updates
the osTicket logo reference in the `README.md` file to point to the new
location.

security: HTML File Browser Execution (Windows: Firefox/IE)

This addresses an issue reported by Aishwarya Iyer where attached HTML files
are executed in the browser instead of forcing download in Firefox and IE
for Windows specifically. This is caused by an incorrect
`Content-Disposition` set in the `AttachmentFile::download` function.
Instead of attachments having a disposition of `attachment` (which forces
download) they have a disposition of `inline` (which displays the file
contents in the browser). This updates the download function to use whatever
disposition is passed (for S3 plugin), if none it defaults to `attachment`.
In addition, this overwrites the disposition and sets it to `attachment`
after the `$bk->sendRedirectURL()` so that S3 attachments still work and the
issue of an attacker passing their own disposition is mitigated.

issue: is_formula Dotall Mode

This addresses an issue where having a new line in a standard, non-richtext
textarea field fails on `is_formula` validation. This is due to the regex
not running in Dotall mode, which does not match new line characters. Dotall
mode makes the dot (`.`) character match anything _including_ new line
characters. This adds the `s` flag to the regex so that new lines are
properly matched.

security: CSV Formula Injection

This addresses a security issue discovered by Aishwarya Iyer where a User
can change their Full Name to a windows formula and when an Agent exports a
list of Users containing said User and opens the export file, the formula
will be executed on their computer (if it's windows of course). This adds a
new validator called `is_formula()` to all text fields disallowing the use
of the following characters `= + - @` at the beginning of text. This should
mitigate CSV Formula injections for any text field that allows user-input in
the system. To further prevent CSV Formula injections this adds an escape
mechanism to the Exporter that will escape any content matching the formula
regex with a single quote (as mentioned in many posts about this subject).

xss: Install Form

issue: Rogue Closing div Breaks HTML Thread Tree

This addresses an issue reported by Aishwarya Iyer where inserting `<img src
=x onerror = prompt(1)` into any text field on the install form will execute
in the browser after the system is installed and you log in. This is due to
us not sanitizing the content before it’s saved in the database. This adds
`Format::htmlchars()` to the installer to ensure the text field data is
sanitized properly.

This addresses an issue reported by Vincent Monier (Xenos) where posting a
single `</div>` tag as a message or response via the UI will break the HTML
Thread Tree view. This is due to the `html_balance()` method not cleaning
empty div tags. This adds `'div'=>1` to the empty tag array so that any
rogue div tag + any empty div tags are properly removed.

Issue/file type override

This commit adds ability to make sure images are indeed images by checking
image type.

issue: Search Reindexing Thread Entries

issue: ISO-8859-8-i Charset Issues

This addresses an issue where `IndexOldStuff()` doesn't reindex everything
it's supposed to. The reindex leaves out all of the Thread Entries with
empty titles or bodies. This is due to the SQL statement that retrieves
thread entries. In the SQL statement, we check if the sum of the Thread
Entry Title length and the Thread Entry Body length is greater than 0. If so
we reindex the entry, otherwise we exclude it. The problem is both
```LENGTH(A1.`title`)``` and ```LENGTH(A1.`body`)``` can return `NULL` and
you cannot add `NULL` (a string) to an integer. This updates the SQL to add
`IFNULL()` statements around the possible `NULL` values so that if `NULL` we
typecast to integer of 0 which can be added to integers successfully.

This addresses an issue where emails with `ISO-8859-8-i` character-sets
appear as "(empty)" in the system. This is due to `ISO-8859-8-i` not being a
valid character-set for `iconv()`. When you pass `ISO-8859-8-i` to `iconv()`
you will receive an error similar to `iconv(): Wrong charset, conversion
from 'ISO-8859-8-i' to 'UTF-8//IGNORE' is not allowed`. I don’t know why
it's not a valid character-set for `iconv()` but the trailing `-i` is used
to say "keep the text in logical order instead of visual order". Logical
order just means to keep the text in true right-to-left format instead of
transcoding the characters to left-to-right format.

This adds a new case to the `Charset::normalize()` switch statement to match
against `ISO-XXXX-X-i`. If a character set matches the criteria we will
remove the trailing `-i` and set the charset to `ISO-XXXX-X`. This charset
format is valid in `iconv()` which will return the correctly formatted email
instead of "(empty)".

issue: Account Registration Throws Errors

issue: Retained Deleted ListItem Errors

Remove file type overwrite previously used to force downloads. This
addresses potential XSS where an attacker could pass "image" resulting in
the file being displayed in line.

This addresses issue 4898 where a User that clicks the ticket link in an
email alert to view the ticket, in that ticket view clicks the link to
register for an account, fills out the registration form, and clicks Create
will throw a an "Unable to register account. See messages below." error.
When the Users get this error there are no messages below so they can't see
anything to fix which prevents them from creating an account. This is due to
the email field being disabled which means the value is not sent in POST so
the system thinks the User sent no email address which throws a hidden
"Email field required." error. We disabled the email field to prevent an
attacker from accessing the user’s guest login and registering the user with
a different email (possibly his own). This sets a POST value called 'email'
to the client's email so that the registration process acknowledges and
validates the email allowing registration to continue.

This addresses an issue where New Tickets will fail for Users with a deleted
ListItem retained in their Contact Information form. This is due to the
system deleting the `list_id` for the ListItem so when we run
`getFilterData()` for the User we can't find the list which causes a fatal
error later down the line. This adds an OR statement to the
`SelectionField::getFilterData()` method to skip said ListItems if no
`list_id` is present.

cli: Package Better Wording

FAQ Issues

cli: Package No File Permissions

oops: .eml/.msg Missing Not Operator

Lint Fixes

This updates the variable name that determines if the current PHP version is
5.6+ from `$php56` to `$php56plus`. This will help other understand better
what the variable is/does.

This addresses a typo where we are missing a not operator in class
MailFetcher when checking for no `$body` in the fetched attachments. This
adds the not operator so that the `if()` statement is properly executed and
we correctly set a fake body when there is none.

This addresses an issue where the `package` cli module is leaving out the
permissions on files. This causes the final ZIP archive to contain files
without permissions meaning the files are un-usable until you restore
permissions. This can make life difficult on people trying to install
osTicket with minimal knowledge as they wouldn’t know what is wrong.

This is due to the `setExternalAttributesName` method not shifting 16 bits
on the file "mode" which will not translate to binary. The file "mode" is
the inode protection mode for a file returned by the `stat()` method. It is
essentially a decimal representation of a file's permissions. Since "mode"
is in decimal format we need to shift by 16 bits to translate it to binary
so the archiver understands. Once the mode is translated to binary the
permissions are preserved.

This commit gets rid of PHP warnings. Additionally, it updates the lint tests to be more accurate.

This updates jQuery to the latest stable release of v3.4.0.