Just an initial portion for now fixing incorrect text and preventing future incorrect text. Eventually, I'd like to fix everything still listed under "ignoredWords" in cspell.json.
- makes unit3d php8.4 + required
- fixes multiple implicitly to explicit nullable type
- dependency updates
- github action updates
- carbon 2 needs to move to carbon 3 in separate pr
We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by sanitizing the untrusted urls and whitelisting their protocol.
Bbcode is always sanitized first before being saved, which causes html entities. However, when content is edited again, the html entities aren't decoded before the user edits them, which causes the user to remove the html entities before updating the content. This commit now decodes the html back to text and will resanitize again upon save.
- github action updated with new ruleset in pint.json
- codebase linted with new ruleset
- contributors can now run `./vendor/bin/pint`
- action workflow will auto correct any lint issues upon commit/opened pull request
