This code allows users to Manage Collaborators without the page refreshing so that they will not lose any drafts that might not have been saved yet. Instead, adding/removing collaborators will show up instantly in the active collaborators section.

This code also removes the http response from the updateCollaborators function. This triggers collaborators.tmpl.php to correctly update the active collaborators section without needing to refresh the page.

Conflicts:
	include/class.forms.php

security: CSV Formula Injection

This addresses a security issue discovered by Aishwarya Iyer where a User
can change their Full Name to a windows formula and when an Agent exports a
list of Users containing said User and opens the export file, the formula
will be executed on their computer (if it's windows of course). This adds a
new validator called `is_formula()` to all text fields disallowing the use
of the following characters `= + - @` at the beginning of text. This should
mitigate CSV Formula injections for any text field that allows user-input in
the system. To further prevent CSV Formula injections this adds an escape
mechanism to the Exporter that will escape any content matching the formula
regex with a single quote (as mentioned in many posts about this subject).

issue: PDF Squares Instead Of Text

xss: Install Form

issue: Rogue Closing div Breaks HTML Thread Tree

This addresses an issue reported by Aishwarya Iyer where inserting `<img src
=x onerror = prompt(1)` into any text field on the install form will execute
in the browser after the system is installed and you log in. This is due to
us not sanitizing the content before it’s saved in the database. This adds
`Format::htmlchars()` to the installer to ensure the text field data is
sanitized properly.

This addresses an issue reported by Vincent Monier (Xenos) where posting a
single `</div>` tag as a message or response via the UI will break the HTML
Thread Tree view. This is due to the `html_balance()` method not cleaning
empty div tags. This adds `'div'=>1` to the empty tag array so that any
rogue div tag + any empty div tags are properly removed.

This addresses an issue with Thai fonts (and a few others like Hebrew,
Arabic, etc.) where printing a PDF will show square characters instead of
the actual content. This is due to `autoScriptToLang` and `autoLangToFont`
not being set to `TRUE`. This updates the mPDF config to set the value of
`autoScriptToLang` to `TRUE` as this formats the HTML using the lang
attribute for the specific language of the content. In addition, this
updates the mPDF config to set `autoLangToFont` to `TRUE` as this selects
the correct font to use for the specific language of the content.

https://mpdf.github.io/fonts-languages/automatic-font-selection.html

Conflicts:
	include/class.file.php

Reformat Incorrect Reply-To Headers

Issue/file type override

This commit adds ability to make sure images are indeed images by checking
image type.

issue: Search Reindexing Thread Entries

issue: ISO-8859-8-i Charset Issues

This addresses an issue where `IndexOldStuff()` doesn't reindex everything
it's supposed to. The reindex leaves out all of the Thread Entries with
empty titles or bodies. This is due to the SQL statement that retrieves
thread entries. In the SQL statement, we check if the sum of the Thread
Entry Title length and the Thread Entry Body length is greater than 0. If so
we reindex the entry, otherwise we exclude it. The problem is both
```LENGTH(A1.`title`)``` and ```LENGTH(A1.`body`)``` can return `NULL` and
you cannot add `NULL` (a string) to an integer. This updates the SQL to add
`IFNULL()` statements around the possible `NULL` values so that if `NULL` we
typecast to integer of 0 which can be added to integers successfully.

In the event that we receive an email where the reply-to header is formatted with the name being an unquoted email, we should correct the name by inserting the quotes.

Incorrect Format:
adriane@enhancesoft.com <adriane@enhancesoft.com>

Correct Format:
"adriane@enhancesoft.com" <adriane@enhancesoft.com>

This addresses an issue where emails with `ISO-8859-8-i` character-sets
appear as "(empty)" in the system. This is due to `ISO-8859-8-i` not being a
valid character-set for `iconv()`. When you pass `ISO-8859-8-i` to `iconv()`
you will receive an error similar to `iconv(): Wrong charset, conversion
from 'ISO-8859-8-i' to 'UTF-8//IGNORE' is not allowed`. I don’t know why
it's not a valid character-set for `iconv()` but the trailing `-i` is used
to say "keep the text in logical order instead of visual order". Logical
order just means to keep the text in true right-to-left format instead of
transcoding the characters to left-to-right format.

This adds a new case to the `Charset::normalize()` switch statement to match
against `ISO-XXXX-X-i`. If a character set matches the criteria we will
remove the trailing `-i` and set the charset to `ISO-XXXX-X`. This charset
format is valid in `iconv()` which will return the correctly formatted email
instead of "(empty)".

Empty extra in list_items

issue: Account Registration Throws Errors

issue: Retained Deleted ListItem Errors

issue: iFrame Single Quotes

It's all about the single quotes baby! Apparently I can't read; the single
quotes are only meant for word options such as `'self'` and `'none'`. When
adding single quotes to the `<host-source>` options it takes them
literally…too literally. For example, if your options are `'localhost:80
localhost:8080 localhost:8000'` then `'localhost:80` and `localhost:8000'` will
be seen as "invalid" due to the single quotes. This removes the single
quotes from every line that sets the CSP so all options are valid. This also
adds single quotes around the `self` option so it stays valid as well.

Remove file type overwrite previously used to force downloads. This
addresses potential XSS where an attacker could pass "image" resulting in
the file being displayed in line.

Double semicolon removed

Issue: Ticket Alerts vs Dept Recipients

task: Implement edit of task thread

If an alert is enabled for only the Department Manager and the Department Recipients field is set to No one, the Department Manager still receives a notification.

If the recipients field is set to no one, nobody should receive an alert regardless of what is checked on the New Ticket Alert selections.

To fix this, we can do a count of what the getMembersForAlerts function returns. This function compares what is set for a Department's group_membership in the database to the ALERTS_DISABLED constant to return a query set of members that should receive an alert. If the count is 0, we know that alerts should be disabled.

This fixes an issue where, for task threads, if an agent has the thread edit
permission, the agent was neither able to edit his or her own entries, nor the
entries of other agents.

If you have a custom field that's based on a list and the default value is set to a list item where the extra field is empty ('') instead of NULL, you cannot set the default value back to 'Select a Default'. You CAN set it to other default values

Extra is set to empty if you erase the abbreviation and save it. Should save as NULL instead of empty

Note: for some reason this didn't work

if ($k == 'abbrev' && empty($vars[$k]))
                $this->set($v, NULL);

This addresses issue 4898 where a User that clicks the ticket link in an
email alert to view the ticket, in that ticket view clicks the link to
register for an account, fills out the registration form, and clicks Create
will throw a an "Unable to register account. See messages below." error.
When the Users get this error there are no messages below so they can't see
anything to fix which prevents them from creating an account. This is due to
the email field being disabled which means the value is not sent in POST so
the system thinks the User sent no email address which throws a hidden
"Email field required." error. We disabled the email field to prevent an
attacker from accessing the user’s guest login and registering the user with
a different email (possibly his own). This sets a POST value called 'email'
to the client's email so that the registration process acknowledges and
validates the email allowing registration to continue.

This addresses an issue where New Tickets will fail for Users with a deleted
ListItem retained in their Contact Information form. This is due to the
system deleting the `list_id` for the ListItem so when we run
`getFilterData()` for the User we can't find the list which causes a fatal
error later down the line. This adds an OR statement to the
`SelectionField::getFilterData()` method to skip said ListItems if no
`list_id` is present.

Conflicts:
	include/class.dynamic_forms.php
	include/class.mailparse.php
	include/client/open.inc.php
	include/staff/templates/user-lookup.tmpl.php
	setup/test/tests/stubs.php

cli: Package Better Wording