Merge branch '4.0-dev' into j4/frameworkImage

administrator/language/en-GB/en-GB.plg_system_httpheaders.ini

@@ -6,8 +6,6 @@
 ; Please do not translate the word 'HTTP Headers' in the following two language strings
 PLG_SYSTEM_HTTPHEADERS="System - HTTP Headers"
 PLG_SYSTEM_HTTPHEADERS_ADDITIONAL_HEADER="Additional HTTP Headers"
-; Please do not translate the name of the HTTP Headers in the following language string
-PLG_SYSTEM_HTTPHEADERS_ADDITIONAL_HEADER_DESC="The supported headers are: <br><ul><li>Strict-Transport-Security</li><li>Content-Security-Policy</li><li>Content-Security-Policy-Report-Only</li><li>X-Frame-Options</li><li>X-XSS-Protection</li><li>X-Content-Type-Options</li><li>Referrer-Policy</li><li>Expect-CT</li></ul>"
 ; Please do not translate the word 'HTTP Header' in the following two language strings
 PLG_SYSTEM_HTTPHEADERS_ADDITIONAL_HEADER_KEY="HTTP Header"
 PLG_SYSTEM_HTTPHEADERS_ADDITIONAL_HEADER_VALUE="HTTP Header Value"
@@ -33,13 +31,10 @@ PLG_SYSTEM_HTTPHEADERS_MESSAGE_STATICHEADERS_NOT_WRITTEN="Your %1$s file is not
 PLG_SYSTEM_HTTPHEADERS_POSTINSTALL_INTRODUCTION_TITLE="HTTP Security Headers"
 PLG_SYSTEM_HTTPHEADERS_POSTINSTALL_INTRODUCTION_BODY="<p>Joomla! comes with a built-in set of tools that help you to handle http security headers. These headers help your browser for example to protect your website from <a href='https://en.wikipedia.org/wiki/Cross-site_scripting' target='_blank' rel='noopener noreferrer'>XSS</a> and <a href='https://en.wikipedia.org/wiki/Clickjacking' target='_blank' rel='noopener noreferrer'>Clickjacking</a> attacks.</p><p>You can find more details in the <a href='https://docs.joomla.org/Special:MyLanguage/J4.x:Http_Header_Management' target='_blank' rel='noopener noreferrer'>HTTP Header Management Tutorial in the Joomla! Documentation.</a></p>"
 PLG_SYSTEM_HTTPHEADERS_POSTINSTALL_INTRODUCTION_ACTION="Enable default security headers"
-; Please do not translate the following 3 language strings
+; Please do not translate the following two language strings
 PLG_SYSTEM_HTTPHEADERS_REFERRERPOLICY="<a href='https://scotthelme.co.uk/a-new-security-header-referrer-policy/' target='_blank' rel='noopener noreferrer'>Referrer-Policy</a>"
 PLG_SYSTEM_HTTPHEADERS_WRITE_STATIC_HEADERS="Write headers to the configuration file"
 PLG_SYSTEM_HTTPHEADERS_WRITE_STATIC_HEADERS_DESC="When enabled the headers (excluding the Content-Security-Policy) will be added to the existing server configuration file as soon as you save this extension. This way the headers will be enforced from the server side. At this time we only support .htaccess (Apache) and web.config (IIS) files."
-PLG_SYSTEM_HTTPHEADERS_XCONTENTTYPEOPTIONS="<a href='https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options' target='_blank' rel='noopener noreferrer'>X-Content-Type-Options</a>"
 PLG_SYSTEM_HTTPHEADERS_XFRAMEOPTIONS="<a href='https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options' target='_blank' rel='noopener noreferrer'>X-Frame-Options</a>"
 ; Please do not translate 'HTTP Security Headers' in the following language string
 PLG_SYSTEM_HTTPHEADERS_XML_DESCRIPTION="This Plugin helps you to set the HTTP Security Headers"
-; Please do not translate the following language string
-PLG_SYSTEM_HTTPHEADERS_XXSSPROTECTION="<a href='https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection' target='_blank' rel='noopener noreferrer'>X-XSS-Protection</a>"

components/com_users/layouts/joomla/form/renderfield.php

@@ -43,7 +43,8 @@
  */
 preg_match('/class=\"([^\"]+)\"/i', $input, $match);
 
-$required     = (strpos($input, 'aria-required="true"') !== false || (!empty($match[1]) && strpos($match[1], 'required') !== false));
+$required     = (strpos($input, 'aria-required="true"') !== false
+			|| (!empty($match[1]) && (strpos($match[1], 'required') !== false) || strpos($displayData['class'], 'required') !== false));
 $typeOfSpacer = (strpos($label, 'spacer-lbl') !== false);
 
 ?>

layouts/joomla/form/field/media.php

@@ -41,7 +41,7 @@
 $attr = '';
 
 // Initialize some field attributes.
-$attr .= !empty($class) ? ' class="form-control hasTooltip field-media-input ' . $class . '"' : ' class="form-control hasTooltip field-media-input"';
+$attr .= !empty($class) ? ' class="form-control field-media-input ' . $class . '"' : ' class="form-control field-media-input"';
 $attr .= !empty($size) ? ' size="' . $size . '"' : '';
 
 // Initialize JavaScript field attributes.

libraries/src/Application/CMSApplication.php

@@ -893,7 +893,7 @@ public function logout($userid = null, $options = array())
 			return true;
 		}
 
-		// Trigger onUserLoginFailure Event.
+		// Trigger onUserLogoutFailure Event.
 		$this->triggerEvent('onUserLogoutFailure', array($parameters));
 
 		return false;

libraries/src/Document/Renderer/Html/StylesRenderer.php

@@ -126,7 +126,7 @@ public function render($head, $params = array(), $content = null)
 
 				if ($this->_doc->cspNonce)
 				{
-					$buffer = ' nonce="' . $this->_doc->cspNonce . '"';
+					$buffer .= ' nonce="' . $this->_doc->cspNonce . '"';
 				}
 
 				$buffer .= '>' . $lnEnd;

libraries/src/Encrypt/AES/OpenSSL.php

@@ -17,7 +17,7 @@
  *
  * @since   __DEPLOY_VERSION__
  */
-class Openssl extends AbstractAES implements AesInterface
+class OpenSSL extends AbstractAES implements AesInterface
 {
 	/**
 	 * The OpenSSL options for encryption / decryption

plugins/system/httpheaders/httpheaders.php

@@ -63,8 +63,6 @@ class PlgSystemHttpHeaders extends CMSPlugin implements SubscriberInterface
 		'content-security-policy',
 		'content-security-policy-report-only',
 		'x-frame-options',
-		'x-xss-protection',
-		'x-content-type-options',
 		'referrer-policy',
 		'expect-ct',
 		'feature-policy',
@@ -752,18 +750,6 @@ private function getStaticHeaderConfiguration($pluginParams = false): array
 			$staticHeaderConfiguration['x-frame-options#both'] = 'SAMEORIGIN';
 		}
 
-		// X-xss-protection
-		if ($pluginParams->get('xxssprotection'))
-		{
-			$staticHeaderConfiguration['x-xss-protection#both'] = '1; mode=block';
-		}
-
-		// X-content-type-options
-		if ($pluginParams->get('xcontenttypeoptions'))
-		{
-			$staticHeaderConfiguration['x-content-type-options#both'] = 'nosniff';
-		}
-
 		// Referrer-policy
 		$referrerPolicy = (string) $pluginParams->get('referrerpolicy', 'no-referrer-when-downgrade');
 

plugins/system/httpheaders/httpheaders.xml

@@ -37,26 +37,6 @@
 					<option value="0">JDISABLED</option>
 					<option value="1">JENABLED</option>
 				</field>
-				<field
-					name="xxssprotection"
-					type="radio"
-					label="PLG_SYSTEM_HTTPHEADERS_XXSSPROTECTION"
-					class="switcher"
-					default="1"
-					>
-					<option value="0">JDISABLED</option>
-					<option value="1">JENABLED</option>
-				</field>
-				<field
-					name="xcontenttypeoptions"
-					type="radio"
-					label="PLG_SYSTEM_HTTPHEADERS_XCONTENTTYPEOPTIONS"
-					class="switcher"
-					default="1"
-					>
-					<option value="0">JDISABLED</option>
-					<option value="1">JENABLED</option>
-				</field>
 				<field
 					name="referrerpolicy"
 					type="list"
@@ -78,7 +58,6 @@
 					name="additional_httpheader"
 					type="subform"
 					label="PLG_SYSTEM_HTTPHEADERS_ADDITIONAL_HEADER"
-					description="PLG_SYSTEM_HTTPHEADERS_ADDITIONAL_HEADER_DESC"
 					multiple="true"
 					>
 					<form>
@@ -93,8 +72,6 @@
 							<option value="content-security-policy">Content-Security-Policy</option>
 							<option value="content-security-policy-report-only">Content-Security-Policy-Report-Only</option>
 							<option value="x-frame-options">X-Frame-Options</option>
-							<option value="x-xss-protection">X-XSS-Protection</option>
-							<option value="x-content-type-options">X-Content-Type-Options</option>
 							<option value="referrer-policy">Referrer-Policy</option>
 							<option value="expect-ct">Expect-CT</option>
 							<option value="feature-policy">Feature-Policy</option>