Merge branch '3.10-dev' into 4.0-dev

.editorconfig

@@ -1,4 +1,4 @@
-# EditorConfig is awesome: http://EditorConfig.org
+# EditorConfig is awesome: https://EditorConfig.org
 
 # top-most EditorConfig file
 root = true

administrator/components/com_config/forms/application.xml

@@ -151,6 +151,7 @@
 			autocomplete="off"
 			size="30"
 			hint="***************"
+			lock="true"
 		/>
 
 		<field
@@ -193,6 +194,17 @@
 			size="30"
 		/>
 
+		<field
+			name="password"
+			type="password"
+			label="COM_CONFIG_FIELD_DATABASE_PASSWORD_LABEL"
+			description="COM_CONFIG_FIELD_DATABASE_PASSWORD_DESC"
+			filter="raw"
+			autocomplete="off"
+			size="30"
+			lock="true"
+		/>
+
 		<field
 			name="db"
 			type="text"
@@ -408,7 +420,7 @@
 			showon="ftp_enable:1"
 			autocomplete="off"
 			size="25"
-			hint="***************"
+			lock="true"
 		/>
 
 		<field
@@ -477,7 +489,7 @@
 			showon="proxy_enable:1"
 			autocomplete="off"
 			size="25"
-			hint="***************"
+			lock="true"
 		/>
 
 	</fieldset>
@@ -656,7 +668,7 @@
 			filter="raw"
 			autocomplete="off"
 			size="30"
-			hint="***************"
+			lock="true"
 		/>
 
 	</fieldset>
@@ -942,7 +954,7 @@
 			showon="session_handler:redis"
 			autocomplete="off"
 			size="30"
-			hint="***************"
+			lock="true"
 		/>
 
 		<field

administrator/components/com_config/src/Controller/ApplicationController.php

@@ -80,6 +80,8 @@ class ApplicationController extends BaseController
 			return false;
 		}
 
+		$this->app->setUserState('com_config.config.global.data', null);
+
 		// Set FTP credentials, if given.
 		ClientHelper::setCredentialsFromRequest('ftp');
 

administrator/components/com_config/src/Model/ApplicationModel.php

@@ -286,15 +286,6 @@ class ApplicationModel extends FormModel
 			}
 		}
 
-		// Unset all protected config fields to empty
-		foreach ($this->protectedConfigurationFields as $fieldKey)
-		{
-			if (isset($data[$fieldKey]))
-			{
-				$data[$fieldKey] = '';
-			}
-		}
-
 		return $data;
 	}
 
@@ -314,7 +305,7 @@ class ApplicationModel extends FormModel
 		// Try to load the values from the configuration file
 		foreach ($this->protectedConfigurationFields as $fieldKey)
 		{
-			if (isset($data[$fieldKey]) && empty($data[$fieldKey]))
+			if (!isset($data[$fieldKey]))
 			{
 				$data[$fieldKey] = $app->get($fieldKey, '');
 			}
@@ -325,7 +316,7 @@ class ApplicationModel extends FormModel
 			'driver'   => $data['dbtype'],
 			'host'     => $data['host'],
 			'user'     => $data['user'],
-			'password' => $app->get('password'),
+			'password' => $data['password'],
 			'database' => $data['db'],
 			'prefix'   => $data['dbprefix'],
 		);
@@ -1249,7 +1240,7 @@ class ApplicationModel extends FormModel
 		$app = Factory::getApplication();
 		$user = Factory::getUser();
 		$input = $app->input->json;
-		$smtppass = $input->get('smtppass', '', 'RAW');
+		$smtppass = $input->get('smtppass', null, 'RAW');
 
 		$app->set('smtpauth', $input->get('smtpauth'));
 		$app->set('smtpuser', $input->get('smtpuser', '', 'STRING'));
@@ -1262,7 +1253,7 @@ class ApplicationModel extends FormModel
 		$app->set('mailonline', $input->get('mailonline'));
 
 		// Use smtppass only if it was submitted
-		if ($smtppass)
+		if ($smtppass !== null)
 		{
 			$app->set('smtppass', $smtppass);
 		}

administrator/components/com_finder/src/Indexer/Indexer.php

@@ -242,7 +242,7 @@ class Indexer
 	 * @return  integer  The ID of the record in the links table.
 	 *
 	 * @since   2.5
-	 * @throws  Exception on database error.
+	 * @throws  \Exception on database error.
 	 */
 	public function index($item, $format = 'html')
 	{

administrator/language/en-GB/com_config.ini

@@ -52,6 +52,8 @@ COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE_VALUE_TWO_WAY="Two-way authentication"
 COM_CONFIG_FIELD_DATABASE_ENCRYPTION_VERIFY_SERVER_CERT_LABEL="Verify Server Certificate"
 COM_CONFIG_FIELD_DATABASE_HOST_LABEL="Host"
 COM_CONFIG_FIELD_DATABASE_NAME_LABEL="Database Name"
+COM_CONFIG_FIELD_DATABASE_PASSWORD_DESC="Do not edit this field unless absolutely necessary (eg after the transfer of the database to a new hosting provider)."
+COM_CONFIG_FIELD_DATABASE_PASSWORD_LABEL="Database Password"
 COM_CONFIG_FIELD_DATABASE_PREFIX_LABEL="Database Tables Prefix"
 COM_CONFIG_FIELD_DATABASE_TYPE_LABEL="Database Type"
 COM_CONFIG_FIELD_DATABASE_USERNAME_LABEL="Database Username"

administrator/language/en-GB/com_cpanel.ini

@@ -15,6 +15,7 @@ COM_CPANEL_MESSAGES_BODY_NOCLOSE="There are important post-installation messages
 COM_CPANEL_MESSAGES_BODYMORE_NOCLOSE="This information area won't appear when you have hidden all the messages."
 COM_CPANEL_MESSAGES_REVIEW="Read Messages"
 COM_CPANEL_MESSAGES_TITLE="You have post-installation messages"
+; Translators: Don't touch the code part in the following message, Starting with ## Mod_rewrite ...
 COM_CPANEL_MSG_ADDNOSNIFF_BODY="<p>Joomla is now shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in web browsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (eg images) will be executed, leading to Cross-Site-Scripting vulnerabilities.</p><p>The security team recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.</p><p><strong>Changes for .htaccess</strong><br>Add the following lines before \"## Mod_rewrite in use.\":</p><pre>&lt;IfModule mod_headers.c&gt;\nHeader always set X-Content-Type-Options \"nosniff\"\n&lt;/IfModule&gt;</pre><p><strong>Changes for web.config</strong><br>Add the following lines right after \"&lt;/rewrite&gt;\":</p><pre>&lt;httpProtocol&gt;\n  &lt;customHeaders&gt;\n    &lt;add name=\"X-Content-Type-Options\" value=\"nosniff\" /&gt;\n  &lt;/customHeaders&gt;\n&lt;/httpProtocol&gt;</pre>"
 COM_CPANEL_MSG_ADDNOSNIFF_TITLE=".htaccess & web.config Security Update"
 COM_CPANEL_MSG_HTACCESS_BODY="A change to the default .htaccess and web.config files was made in Joomla! 3.4 to disallow folder listings by default.  Users are recommended to implement this change in their files.  Please see <a href=\"https://docs.joomla.org/Special:MyLanguage/Preconfigured_htaccess\">this page</a> for more information."

build/media_source/system/js/fields/joomla-field-send-test-mail.w-c.es6.js

@@ -26,7 +26,6 @@
       const emailData = {
         smtpauth: document.getElementById('jform_smtpauth1').checked ? 1 : 0,
         smtpuser: this.querySelector('[name="jform[smtpuser]"]').value,
-        smtppass: this.querySelector('[name="jform[smtppass]"]').value,
         smtphost: this.querySelector('[name="jform[smtphost]"]').value,
         smtpsecure: this.querySelector('[name="jform[smtpsecure]"]').value,
         smtpport: this.querySelector('[name="jform[smtpport]"]').value,
@@ -36,6 +35,12 @@
         mailonline: document.getElementById('jform_mailonline1').checked ? 1 : 0,
       };
 
+      const smtppass = this.querySelector('[name="jform[smtpsecure]"]');
+
+      if (smtppass.disabled === false) {
+        emailData.smtppass = smtppass.value;
+      }
+
       // Remove js messages, if they exist.
       Joomla.removeMessages();
 

layouts/joomla/form/field/password.php

@@ -48,10 +48,13 @@ extract($displayData);
  * @var   string   $accept          File types that are accepted.
  * @var   string   $dataAttribute   Miscellaneous data attributes preprocessed for HTML output
  * @var   array    $dataAttributes  Miscellaneous data attribute for eg, data-*.
+ * @var   boolean  $lock            Is this field locked.
  */
 
+$document = Factory::getApplication()->getDocument();
+
 /** @var Joomla\CMS\WebAsset\WebAssetManager $wa */
-$wa = Factory::getApplication()->getDocument()->getWebAssetManager();
+$wa = $document->getWebAssetManager();
 
 if ($meter)
 {
@@ -72,6 +75,39 @@ Text::script('JFIELD_PASSWORD_INDICATE_COMPLETE');
 Text::script('JSHOWPASSWORD');
 Text::script('JHIDEPASSWORD');
 
+// TODO: Remove this jQuery dependency and move the lock functionality to the password view script
+\Joomla\CMS\HTML\HTMLHelper::_('jquery.framework');
+
+if ($lock)
+{
+	// Load script on document load.
+	$document->addScriptDeclaration(
+			"
+		jQuery(document).ready(function() {
+			jQuery('#" . $id ."_lock').on('click', function() {
+				var lockButton = jQuery(this);
+				var passwordInput = jQuery('#" . $id . "');
+				var lock = lockButton.hasClass('active');
+
+				if (lock === true) {
+					lockButton.html('" . Text::_('JMODIFY', true) . "');
+					passwordInput.attr('disabled', true);
+					passwordInput.val('');
+				}
+				else
+				{
+					lockButton.html('" . Text::_('JCANCEL', true) . "');
+					passwordInput.attr('disabled', false);
+				}
+			});
+		});"
+	);
+
+	$disabled = true;
+	$hint = str_repeat('*', strlen($value));
+	$value = '';
+}
+
 $attributes = array(
 	strlen($hint) ? 'placeholder="' . htmlspecialchars($hint, ENT_COMPAT, 'UTF-8') . '"' : '',
 	!empty($autocomplete) ? 'autocomplete="' . $autocomplete . '"' : '',
@@ -122,6 +158,7 @@ if ($rules && !empty($description))
 	}
 }
 ?>
+<<<<<<< HEAD
 <?php if (!empty($description)) : ?>
 	<div id="<?php echo $name . '-desc'; ?>" class="small text-muted">
 		<?php if ($rules) : ?>
@@ -148,3 +185,19 @@ if ($rules && !empty($description))
 		</span>
 	</div>
 </div>
+=======
+<?php if ($lock): ?>
+    <span class="input-append">
+<?php endif; ?>
+<input
+    type="password"
+    name="<?php echo $name; ?>"
+    id="<?php echo $id; ?>"
+    value="<?php echo htmlspecialchars($value, ENT_COMPAT, 'UTF-8'); ?>"
+    <?php echo implode(' ', $attributes); ?>
+/>
+<?php if ($lock): ?>
+    <button type="button" id="<?php echo $id; ?>_lock" class="btn btn-info" data-toggle="button"><?php echo JText::_('JMODIFY'); ?></button>
+    </span>
+<?php endif; ?>
+>>>>>>> 3.10-dev

libraries/src/Form/Field/LimitboxField.php

@@ -52,7 +52,7 @@ class LimitboxField extends ListField
 	protected function getOptions()
 	{
 		// Accepted modifiers
-		$hash = md5($this->element);
+		$hash = md5($this->element->asXML());
 
 		if (!isset(static::$options[$hash]))
 		{

libraries/src/Form/Field/PasswordField.php

@@ -72,6 +72,15 @@ class PasswordField extends FormField
 	 */
 	protected $layout = 'joomla.form.field.password';
 
+	/**
+	 * Attach an unlock button and disable the input field,
+	 * also remove the value from the output.
+	 *
+	 * @var    boolean
+	 * @since  3.9.24
+	 */
+	protected $lock = false;
+
 	/**
 	 * Method to get certain otherwise inaccessible properties from the form field object.
 	 *
@@ -85,6 +94,7 @@ class PasswordField extends FormField
 	{
 		switch ($name)
 		{
+			case 'lock':
 			case 'threshold':
 			case 'maxLength':
 			case 'meter':
@@ -116,9 +126,10 @@ class PasswordField extends FormField
 				$this->$name = $value;
 				break;
 
+			case 'lock':
 			case 'meter':
 			case 'force':
-				$this->meter = ($value === 'true' || $value === $name || $value === '1');
+				$this->$name = ($value === 'true' || $value === $name || $value === '1');
 				break;
 
 			default:
@@ -146,6 +157,9 @@ class PasswordField extends FormField
 
 		if ($return)
 		{
+			$lock       = (string) $this->element['lock'];
+			$this->lock = ($lock == 'true' || $lock == 'on' || $lock == '1');
+
 			$this->maxLength    = $this->element['maxlength'] ? (int) $this->element['maxlength'] : 99;
 			$this->threshold    = $this->element['threshold'] ? (int) $this->element['threshold'] : 66;
 			$meter              = (string) $this->element['strengthmeter'];
@@ -201,6 +215,7 @@ class PasswordField extends FormField
 
 		// Initialize some field attributes.
 		$extraData = array(
+			'lock'           => $this->lock,
 			'maxLength'      => $this->maxLength,
 			'meter'          => $this->meter,
 			'threshold'      => $this->threshold,

libraries/src/Form/FormField.php

@@ -1135,6 +1135,18 @@ abstract class FormField
 			{
 				$subForm = $this->loadSubForm();
 
+				// Subform field may have a default value, that is a JSON string
+				if ($value && is_string($value))
+				{
+					$value = json_decode($value, true);
+
+					// The string is invalid json
+					if (!$value)
+					{
+						return null;
+					}
+				}
+
 				if ($this->multiple)
 				{
 					$return = array();

libraries/src/Image/Filter/Backgroundfill.php

@@ -44,7 +44,7 @@ class Backgroundfill extends ImageFilter
 		$colorCode = $options['color'] ?? null;
 
 		// Get resource dimensions
-		$width = imagesx($this->handle);
+		$width  = imagesx($this->handle);
 		$height = imagesy($this->handle);
 
 		// Sanitize color
@@ -100,8 +100,8 @@ class Backgroundfill extends ImageFilter
 			$colors = array_merge($colors, $input);
 		}
 		elseif (\is_string($input))
-		// Convert RGBA 6-9 char string
 		{
+			// Convert RGBA 6-9 char string
 			$hex = ltrim($input, '#');
 
 			$hexValues = [
@@ -120,8 +120,8 @@ class Backgroundfill extends ImageFilter
 			}
 		}
 		else
-		// Cannot sanitize such type
 		{
+			// Cannot sanitize such type
 			return $colors;
 		}
 

plugins/actionlog/joomla/joomla.php

@@ -707,7 +707,7 @@ class PlgActionlogJoomla extends ActionLogPlugin
 	/**
 	 * On after save user group data logging method
 	 *
-	 * Method is called after user data is deleted from the database
+	 * Method is called after user group is stored into the database
 	 *
 	 * @param   string   $context  The context
 	 * @param   JTable   $table    DataBase Table object
@@ -719,6 +719,7 @@ class PlgActionlogJoomla extends ActionLogPlugin
 	 */
 	public function onUserAfterSaveGroup($context, $table, $isNew): void
 	{
+		// Override context (com_users.group) with the component context (com_users) to pass the checkLoggable
 		$context = $this->app->input->get('option');
 
 		if (!$this->checkLoggable($context))
@@ -751,7 +752,7 @@ class PlgActionlogJoomla extends ActionLogPlugin
 	/**
 	 * On deleting user group data logging method
 	 *
-	 * Method is called after user data is deleted from the database
+	 * Method is called after user group is deleted from the database
 	 *
 	 * @param   array    $group    Holds the group data
 	 * @param   boolean  $success  True if user was successfully stored in the database