This addresses an issue reported by Aishwarya Iyer where attached HTML files
are executed in the browser instead of forcing download in Firefox and IE
for Windows specifically. This is caused by an incorrect
`Content-Disposition` set in the `AttachmentFile::download` function.
Instead of attachments having a disposition of `attachment` (which forces
download) they have a disposition of `inline` (which displays the file
contents in the browser). This updates the download function to use whatever
disposition is passed (for S3 plugin), if none it defaults to `attachment`.
In addition, this overwrites the disposition and sets it to `attachment`
after the `$bk->sendRedirectURL()` so that S3 attachments still work and the
issue of an attacker passing their own disposition is mitigated.

This addresses an issue where having a new line in a standard, non-richtext
textarea field fails on `is_formula` validation. This is due to the regex
not running in Dotall mode, which does not match new line characters. Dotall
mode makes the dot (`.`) character match anything _including_ new line
characters. This adds the `s` flag to the regex so that new lines are
properly matched.

This addresses a security issue discovered by Aishwarya Iyer where a User
can change their Full Name to a windows formula and when an Agent exports a
list of Users containing said User and opens the export file, the formula
will be executed on their computer (if it's windows of course). This adds a
new validator called `is_formula()` to all text fields disallowing the use
of the following characters `= + - @` at the beginning of text. This should
mitigate CSV Formula injections for any text field that allows user-input in
the system. To further prevent CSV Formula injections this adds an escape
mechanism to the Exporter that will escape any content matching the formula
regex with a single quote (as mentioned in many posts about this subject).

This addresses an issue reported by Vincent Monier (Xenos) where posting a
single `</div>` tag as a message or response via the UI will break the HTML
Thread Tree view. This is due to the `html_balance()` method not cleaning
empty div tags. This adds `'div'=>1` to the empty tag array so that any
rogue div tag + any empty div tags are properly removed.

This commit adds ability to make sure images are indeed images by checking
image type.

This addresses an issue where `IndexOldStuff()` doesn't reindex everything
it's supposed to. The reindex leaves out all of the Thread Entries with
empty titles or bodies. This is due to the SQL statement that retrieves
thread entries. In the SQL statement, we check if the sum of the Thread
Entry Title length and the Thread Entry Body length is greater than 0. If so
we reindex the entry, otherwise we exclude it. The problem is both
```LENGTH(A1.`title`)``` and ```LENGTH(A1.`body`)``` can return `NULL` and
you cannot add `NULL` (a string) to an integer. This updates the SQL to add
`IFNULL()` statements around the possible `NULL` values so that if `NULL` we
typecast to integer of 0 which can be added to integers successfully.

This addresses an issue where emails with `ISO-8859-8-i` character-sets
appear as "(empty)" in the system. This is due to `ISO-8859-8-i` not being a
valid character-set for `iconv()`. When you pass `ISO-8859-8-i` to `iconv()`
you will receive an error similar to `iconv(): Wrong charset, conversion
from 'ISO-8859-8-i' to 'UTF-8//IGNORE' is not allowed`. I don’t know why
it's not a valid character-set for `iconv()` but the trailing `-i` is used
to say "keep the text in logical order instead of visual order". Logical
order just means to keep the text in true right-to-left format instead of
transcoding the characters to left-to-right format.

This adds a new case to the `Charset::normalize()` switch statement to match
against `ISO-XXXX-X-i`. If a character set matches the criteria we will
remove the trailing `-i` and set the charset to `ISO-XXXX-X`. This charset
format is valid in `iconv()` which will return the correctly formatted email
instead of "(empty)".

Remove file type overwrite previously used to force downloads. This
addresses potential XSS where an attacker could pass "image" resulting in
the file being displayed in line.

This addresses an issue where New Tickets will fail for Users with a deleted
ListItem retained in their Contact Information form. This is due to the
system deleting the `list_id` for the ListItem so when we run
`getFilterData()` for the User we can't find the list which causes a fatal
error later down the line. This adds an OR statement to the
`SelectionField::getFilterData()` method to skip said ListItems if no
`list_id` is present.

This updates the variable name that determines if the current PHP version is
5.6+ from `$php56` to `$php56plus`. This will help other understand better
what the variable is/does.

This addresses a typo where we are missing a not operator in class
MailFetcher when checking for no `$body` in the fetched attachments. This
adds the not operator so that the `if()` statement is properly executed and
we correctly set a fake body when there is none.

This addresses an issue where the `package` cli module is leaving out the
permissions on files. This causes the final ZIP archive to contain files
without permissions meaning the files are un-usable until you restore
permissions. This can make life difficult on people trying to install
osTicket with minimal knowledge as they wouldn’t know what is wrong.

This is due to the `setExternalAttributesName` method not shifting 16 bits
on the file "mode" which will not translate to binary. The file "mode" is
the inode protection mode for a file returned by the `stat()` method. It is
essentially a decimal representation of a file's permissions. Since "mode"
is in decimal format we need to shift by 16 bits to translate it to binary
so the archiver understands. Once the mode is translated to binary the
permissions are preserved.

This commit gets rid of PHP warnings. Additionally, it updates the lint tests to be more accurate.

This updates jQuery to the latest stable release of v3.4.0.

This addresses a vulnerability found by [AkkuS CW](https://pentest.com.tr)
where a simple XSS attempt can lead to an LFI (Local File Inclusion) attack.
The issue stems from the system returning the unformatted file contents in
an error message when uploading a CSV to the User Importer. This formats the
contents before uploading so that if the contents are returned in an error
message they will not be executed by the browser which therefore prevents
XSS attempts and the possibility of an LFI attack. This also formats all the
user-created data sent to ImportError to prevent the same issue.

This addresses an issue where `.eml` and `.msg` files on incoming mails are
being dropped. This is due the the mail fetcher that tries to process
`.eml`/`.msg` files and adds them as thread entries rather than adding them
as attachments. This adds a new section that utilizes a new method to fetch
the body of `.eml`/`.msg` files, fetches the subjects of the `.eml`/`.msg`
files as the attachment names, and creates attachments. This preserves the
`.eml` and `.msg` files and adds them to the pertinent thread entries as
attachments.

It's all about the single quotes baby! Apparently I can't read; the single
quotes are only meant for word options such as `'self'` and `'none'`. When
adding single quotes to the `<host-source>` options it takes them
literally…too literally. For example, if your options are `'localhost:80
localhost:8080 localhost:8000'` then `'localhost:80` and `localhost:8000'`
will be seen as "invalid" due to the single quotes. This removes the single
quotes from every line that sets the CSP so all options are valid. This also
adds single quotes around the `self` option so it stays valid as well.

This commit fixes several issues with how we manage FAQs and related objects.

1. When trying to add a Help Topic to an FAQ, we should add the record to the faq_topic table after saving the faq so that we can accurately retrieve the faq_id

2. When deleting a Help Topic, we need to make sure we're using the topic->delete function rather than deleting based on a QuerySet so that the related FAQ Topics will also be deleted.

3. When deleting a FAQ Category, we need to ensure that we delete all related FAQs and FAQ Topics. To do this, we should use the delete function from the FAQ class first to delete all related FAQs and FAQ Topics and then we should use the Category delete function to delete the remaining Category (remove faqs->expunge from the category->delete function since it we now pass through faq->delete as well)

This addresses an issue where entering a collaborator's email to send ticket
email access link throws a fatal error. This is due to the method that
checks for tickets with the User's email equal to the email provided. This
only checks for User's emails not Collaborator emails. This adds a check for
Collaborator emails as well so this will not crash out.

This addresses an issue where Korean text is stripped from the body. This is
due to the strip_emoticons function, as Korean text is in the same unicode
range as some of the emojis.

This addresses an issue where emoticons/emojis cut off the remainder of the
email when being added to a ticket thread.

This addresses issue 4803 where sorting by Users on Organizations does not
sort properly. It sorts by name instead of the User count. This corrects the
value in the `$sortOptions` array from `users` to `user_count`.

not sending new ticket alert to account manager.

This addresses an issue mentioned in the forum where having more than one
custom field on a ticket shows the same title for all forms on the
client-side ticket view (after creation). This adds an array of the form
names indexed by sort order and displays them in the correct order with the
correct names.

Previously, we added a security header to prevent click-jacking called
"X-Frame-Options". This introduced an issue with people using osTicket in
iFrames on their websites. To mitigate the issue, this updates the security
header to allow the site to be framed from specified domains, if none
provided we default to 'self'. This adds a new field to General System
Settings called "Allow iFrames" where you may enter a comma separated list
of domains that the site can be framed on. This also adds a validator for
the field to validate the domains and ensure they fit the <host-source>
syntax from [Mozilla Developer
Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#Sources).

This addresses an issue reported on the Forum where creating a new FAQ and
not filling out required information returns the correct error but returns
the incorrect template (FAQ View Template). This is due to the check for an
FAQ when determining the template to return. This adds a check for the FAQ
ID to determine if it’s an actual FAQ or just a model instance.

This addresses an issue reported on the forum where searching for a keyword
in FAQ search brings back more results than it should. This is due to the
format of the query selecting the results, essentially, the `WHERE NOT`
statement is not properly formatted so the `OR` statements take precedence
over the `WHERE NOT` causing non-public results to be shown to the client.
The `WHERE NOT` statement contains the bit to select from only public faqs
and since the `OR` takes precedence it will return the non-public results
too.

This addresses issue 4756 where the `%{recipient.ticket_link}` variable is
not being replaced when the canned response is loaded in the reply box; all
other link variables work. This is due to the recipient object not being
passed to the variableReplacer which means the ticket_link is not available.
This adds the recipient object to the variableReplacer so the ticket_link
variable is properly replaced like the others on load.

This addresses issue 4716 where updating a Ticket Status throws a fatal
error of "Too few arguments" when using PHP 7.2. This is due to `$errors`
not being passed to the `update()` function causing PHP 7.2 to freak out.
This creates an `$errors` array and passes it to `update()` so PHP 7.2 is
happy and we are all happy. :)

This addresses issue 4738 where the Upgrade and Migration Guide link is
incorrect. This updates the link to the new Documentation site.

This pull request is wayyyy overdue. This updates jQuery and all related
files to the latest jQuery release (3.3.1). This also adds a new script
called jQuery-Migrate that maintains older functions needed for a few things
(eg. `filedrop.field.js`).

This addresses an issue where the Loading overlay on Tasks will not
disappear after the request was submitted. This adds two lines to first hide
the "Loading" modal and then toggle the overlay.

This commit addresses issues we had with viewing Task(s) within a Ticket:

1. When viewing the table of all Tasks on a Ticket, the Options dropdown should only allow the Agent to Reopen or Close the Tasks based on the status of the Tasks.
Ex: If there is only 1 Open Task, you should only see the 'Close' Option
    If there are 2 Closed Tasks, you should only see the 'Reopen' Option
    If there are multiple Tasks in which some are Open and some are Closed, you should see both the 'Reopen' and 'Close' options

2. When viewing an individual Task within a Ticket, the status options were the opposite of what they should have been. Now, if the Task is Open, the Agent will see the option to 'Close' the Task. If the Task is Closded, the Agent will see the option to 'Reopen' the Task.

This addresses an issue where exporting statistics via the dashboard within
a certain timeframe (eg. 07/01/2018 -> One Quarter) will always export the
statistics from the selected date up to today. This is due to the Period
option always being set to "Up to today" when the Export button is clicked
which in return exports the stats from the selected start date to today.
This adds JS to set the period the Agent selects so the Export will return
the stats from the selected date to the selected period.

This addresses an issue where Users updating their profile will throw an SQL
error in the system logs. This is due to a line of code trying to set a
value for the `dst` column which no longer exists as of `1.10.0`.

This addresses an issue introduced with 4426 that references an undefined
class.

This improves accessibility by adding screen readable labels to ticket
actions that don’t already have them.

This addresses issue 4470 where Users creating tickets via Client Portal and
failing to fill out a required field makes disabled fields by Help Topic
appear on the page. When the disabled fields appear they allow Users to
populate and save data that they were not meant to submit.