This addresses an issue where New Tickets will fail for Users with a deleted
ListItem retained in their Contact Information form. This is due to the
system deleting the `list_id` for the ListItem so when we run
`getFilterData()` for the User we can't find the list which causes a fatal
error later down the line. This adds an OR statement to the
`SelectionField::getFilterData()` method to skip said ListItems if no
`list_id` is present.

cli: Package Better Wording

FAQ Issues

cli: Package No File Permissions

oops: .eml/.msg Missing Not Operator

Lint Fixes

This updates the variable name that determines if the current PHP version is
5.6+ from `$php56` to `$php56plus`. This will help other understand better
what the variable is/does.

This addresses a typo where we are missing a not operator in class
MailFetcher when checking for no `$body` in the fetched attachments. This
adds the not operator so that the `if()` statement is properly executed and
we correctly set a fake body when there is none.

This addresses an issue where the `package` cli module is leaving out the
permissions on files. This causes the final ZIP archive to contain files
without permissions meaning the files are un-usable until you restore
permissions. This can make life difficult on people trying to install
osTicket with minimal knowledge as they wouldn’t know what is wrong.

This is due to the `setExternalAttributesName` method not shifting 16 bits
on the file "mode" which will not translate to binary. The file "mode" is
the inode protection mode for a file returned by the `stat()` method. It is
essentially a decimal representation of a file's permissions. Since "mode"
is in decimal format we need to shift by 16 bits to translate it to binary
so the archiver understands. Once the mode is translated to binary the
permissions are preserved.

This commit gets rid of PHP warnings. Additionally, it updates the lint tests to be more accurate.

This updates jQuery to the latest stable release of v3.4.0.

xss: XSS To LFI Vulnerability

This addresses a vulnerability found by [AkkuS CW](https://pentest.com.tr)
where a simple XSS attempt can lead to an LFI (Local File Inclusion) attack.
The issue stems from the system returning the unformatted file contents in
an error message when uploading a CSV to the User Importer. This formats the
contents before uploading so that if the contents are returned in an error
message they will not be executed by the browser which therefore prevents
XSS attempts and the possibility of an LFI attack. This also formats all the
user-created data sent to ImportError to prevent the same issue.

issue: .eml/.msg Attachments

This addresses an issue where `.eml` and `.msg` files on incoming mails are
being dropped. This is due the the mail fetcher that tries to process
`.eml`/`.msg` files and adds them as thread entries rather than adding them
as attachments. This adds a new section that utilizes a new method to fetch
the body of `.eml`/`.msg` files, fetches the subjects of the `.eml`/`.msg`
files as the attachment names, and creates attachments. This preserves the
`.eml` and `.msg` files and adds them to the pertinent thread entries as
attachments.

Update README.md

issue: sendAccessLink On NULL

issue: iFrame Single Quotes

It's all about the single quotes baby! Apparently I can't read; the single
quotes are only meant for word options such as `'self'` and `'none'`. When
adding single quotes to the `<host-source>` options it takes them
literally…too literally. For example, if your options are `'localhost:80
localhost:8080 localhost:8000'` then `'localhost:80` and `localhost:8000'`
will be seen as "invalid" due to the single quotes. This removes the single
quotes from every line that sets the CSP so all options are valid. This also
adds single quotes around the `self` option so it stays valid as well.

This commit fixes several issues with how we manage FAQs and related objects.

1. When trying to add a Help Topic to an FAQ, we should add the record to the faq_topic table after saving the faq so that we can accurately retrieve the faq_id

2. When deleting a Help Topic, we need to make sure we're using the topic->delete function rather than deleting based on a QuerySet so that the related FAQ Topics will also be deleted.

3. When deleting a FAQ Category, we need to ensure that we delete all related FAQs and FAQ Topics. To do this, we should use the delete function from the FAQ class first to delete all related FAQs and FAQ Topics and then we should use the Category delete function to delete the remaining Category (remove faqs->expunge from the category->delete function since it we now pass through faq->delete as well)

This addresses an issue where entering a collaborator's email to send ticket
email access link throws a fatal error. This is due to the method that
checks for tickets with the User's email equal to the email provided. This
only checks for User's emails not Collaborator emails. This adds a check for
Collaborator emails as well so this will not crash out.

issue: iFrame On Install

This addresses the "Call to getAllowIframes() on NULL" error on installation
pages. This is due to 4781 that introduced the concept of allowing multiple
iFrames, where we are not checking for `$cfg` before calling the method.
This adds a check for `$cfg` so the errors do not occur.

oops: Emojis Strip Korean

This addresses an issue where Korean text is stripped from the body. This is
due to the strip_emoticons function, as Korean text is in the same unicode
range as some of the emojis.

iframe: Allow Multiple iFrame Domains

issue: Maxfilesize Comma Crash

issue: Strip Emoticons

Fix bug: send new ticket alert to account manager

This addresses an issue where emoticons/emojis cut off the remainder of the
email when being added to a ticket thread.

issue: Organizations Users Sort

This addresses issue 4803 where sorting by Users on Organizations does not
sort properly. It sorts by name instead of the User count. This corrects the
value in the `$sortOptions` array from `users` to `user_count`.

not sending new ticket alert to account manager.

issue: Duplicate Form Titles

This addresses an issue mentioned in the forum where having more than one
custom field on a ticket shows the same title for all forms on the
client-side ticket view (after creation). This adds an array of the form
names indexed by sort order and displays them in the correct order with the
correct names.

Previously, we added a security header to prevent click-jacking called
"X-Frame-Options". This introduced an issue with people using osTicket in
iFrames on their websites. To mitigate the issue, this updates the security
header to allow the site to be framed from specified domains, if none
provided we default to 'self'. This adds a new field to General System
Settings called "Allow iFrames" where you may enter a comma separated list
of domains that the site can be framed on. This also adds a validator for
the field to validate the domains and ensure they fit the <host-source>
syntax from [Mozilla Developer
Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#Sources).

issue: FAQ Return Errors