New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Finally com_mailto allow the usage of a captcha by using JForm #20265

Merged
merged 16 commits into from May 23, 2018

Conversation

Projects
None yet
8 participants
@zero-24
Contributor

zero-24 commented Apr 30, 2018

Summary of Changes

Finally com_mailto allow the usage of a captach by using JForm

As discussed with the JSST this is now a public tracker item: cc @SniperSister @mbabker

Testing Instructions

  • apply this patch
  • check that the mail to friend feature still works
  • configure the captcha
  • check that com_mailto now requires the captcha

Expected result

com_mailto supports captcha's
com_mailto uses JForm

Actual result

com_mailto don't supports captcha's
com_mailto don't uses JForm

Documentation Changes Required

none

zero-24 added some commits Apr 29, 2018

@zero-24 zero-24 added this to the Joomla 3.8.8 milestone Apr 30, 2018

@zero-24 zero-24 requested a review from brianteeman as a code owner Apr 30, 2018

* The base form is loaded from XML and then an event is fired
* for users plugins to extend the form with extra fields.
*
* @param array $data An optional array of data for the form to interogate.

This comment has been minimized.

@brianteeman

brianteeman Apr 30, 2018

Contributor

interrogate

This comment has been minimized.

@zero-24

zero-24 Apr 30, 2018

Contributor

fixed thanks.

zero-24 added some commits Apr 30, 2018

@brianteeman brianteeman changed the title from Finally com_mailto allow the usage of a captach by using JForm to Finally com_mailto allow the usage of a captcha by using JForm Apr 30, 2018

@brianteeman

This comment has been minimized.

Contributor

brianteeman commented Apr 30, 2018

milestone is set to 3.8.8. but surely this is a new feature according to semver

@zero-24

This comment has been minimized.

Contributor

zero-24 commented Apr 30, 2018

milestone is set to 3.8.8. but surely this is a new feature according to semver

new feature? Where do you see a new feature? This is a fix for a broken and exploited attack against sites as noted here in public and in private many times. ;)

}
$this->set('data', $data);
$this->set('link', urldecode(JFactory::getApplication()->input->get('link', '', 'BASE64')));

This comment has been minimized.

@mbabker

mbabker Apr 30, 2018

Member

$this->link = ...

This comment has been minimized.

@zero-24

zero-24 Apr 30, 2018

Contributor

Fixed with the last commit. Thanks.

@mbabker

This comment has been minimized.

Member

mbabker commented Apr 30, 2018

You technically get a new feature introducing captcha support to the form. Otherwise it's all just internal refactoring/restructuring.

@zero-24

This comment has been minimized.

Contributor

zero-24 commented Apr 30, 2018

You technically get a new feature introducing captcha support to the form.

Correct but this is just a side effect of the refactoring to JForm ;)

@brianteeman

This comment has been minimized.

Contributor

brianteeman commented Apr 30, 2018

Adding captcha is a new feature. Semantic versioning is all about technicalities

@zero-24

This comment has been minimized.

Contributor

zero-24 commented Apr 30, 2018

@mbabker do you agree with @brianteeman or can we move forward with that protection against spam in 3.8.8 by allowing that feature?

Or do we need to go the hard way in patching the xml lines for the captcha out and explain in a doc page where to add the support for that.?

@ot2sen

This comment has been minimized.

Contributor

ot2sen commented Apr 30, 2018

Must be considered a bug at this stage. Captcha has been a core feature by ages so it must be a bug that it didn´t arrive in all contact or form interactions when first added :)

@mbabker

This comment has been minimized.

Member

mbabker commented Apr 30, 2018

To be completely honest it's one of those edge cases where you have to outweigh the user benefit with strict adherence to the standard. At this point we're dealing with a weakness in core that could've legitimately just been committed to 3.8.8 as a security fix without this public item but we collectively decided this doesn't need to be committed with that type of "secrecy" (for a lack of a better term). So for me, even though a standard says this strictly must trigger a minor version release, I don't think this absolutely must go into 3.9 and not be addressed in a 3.8 release.

@zero-24 zero-24 modified the milestones: Joomla 3.8.8, Joomla 3.9.0 Apr 30, 2018

@brianteeman

This comment has been minimized.

Contributor

brianteeman commented Apr 30, 2018

@mbabker even if it was a security issue it would still require a version bump
@ot2sen that would be perhaps true if it was indeed added to all forms but it still hasnt been

there are a lot more urgent issues which are actually going to b useful that are being held up for 3.9

either we use semver or we dont - its not something that can be done half heartedly

@mbabker

This comment has been minimized.

Member

mbabker commented Apr 30, 2018

It's not being done half-heartedly. The standard is the guiding line and we have to justify deviating from it (which should be an exceptional basis). It's not "follow the standard when it's convenient". If we followed the standard that strictly then we would have to version bump when we:

  • Run composer update and it includes minor version increments (the changes may not all be part of our API but as part of our distributed package it does introduce new features)
  • Update any JavaScript library which is a minor version release (CodeMirror being the common one)
  • Merge any patch that is not strictly fixing a bug

So we already do it "half heartedly" in some ways. Considering I can't get good answers on how to handle releases beyond 3.8.x right now the best thing I can do while I'm running releases is use my best judgment on things. And considering the amount of marketing hype that the project likes to put onto .0 releases (and the amount of annoyance end users have if .0 releases don't have something new and shiny, see 3.4 and 3.5 reactions) I doubt anyone would want us doing "full blown" feature releases every 2-3 months as that's about the cycle we're on for something being merged that is not 100% in line with the SemVer definition of a patch release.

@brianteeman

This comment has been minimized.

Contributor

brianteeman commented Apr 30, 2018

guess i am just frustrated that several pr of mine got delayed because of semver and the privacy plugin will be useless by the time it is released

@Quy

This comment has been minimized.

Contributor

Quy commented Apr 30, 2018

The form no longer fits within the popup window. You have to scroll down to see the buttons.
The email address is not populated.

Before:
20265-before

After:
20265-after

@zero-24

This comment has been minimized.

Contributor

zero-24 commented Apr 30, 2018

should be fixed now thanks @Quy

@@ -73,7 +73,12 @@ public static function email($article, $params, $attribs = array(), $legacy = fa
$link = $base . JRoute::_(ContentHelperRoute::getArticleRoute($article->slug, $article->catid, $article->language), false);
$url = 'index.php?option=com_mailto&tmpl=component&template=' . $template . '&link=' . MailtoHelper::addLink($link);
$status = 'width=400,height=350,menubar=yes,resizable=yes';
$status = 'width=400,height=550,menubar=yes,resizable=yes';

This comment has been minimized.

@Quy

Quy May 3, 2018

Contributor

Another way to consider:

		$height = JFactory::getApplication()->get('captcha', '0') === '0' ? 450 : 550;
		$status = 'width=400,height=' . $height . ',menubar=yes,resizable=yes';
$data['sender'] = $input->get('sender', '', 'string');
$data['emailfrom'] = $input->get('emailfrom', '', 'string');
$data['subject'] = $input->get('subject', '', 'string');
$data['captcha'] = $input->get('captcha', '', 'string');

This comment has been minimized.

@Quy

Quy May 3, 2018

Contributor

Remove $data['captcha']. Here is a var_dump of $input.

  ["data":protected]=>
  &array(12) {
    ["task"]=>
    string(4) "send"
    ["emailto"]=>
    string(19) "test@example.com"
    ["sender"]=>
    string(3) "John Doe"
    ["emailfrom"]=>
    string(19) "test@example.com"
    ["subject"]=>
    string(4) "Test"
    ["g-recaptcha-response"]=>
    string(484) "03AJpayVFwI5ojctS5-iOKcPzmEbYu3vMqhLKgpDYwQl00E1I8a2ALO7elw8GU-vMARD7BeQrvFvzoc9VQlJuGXhs7ThW-_lZ5bQzO4ExyKdWNSuVn0Z65qHs58WdVNlulPTi3y0Rr6h9WkJx4dNerSO7e-uRRevtmf264JMUEUUiFFFaXu2nWGuO3J1X3holMHFKxC2dr8kGD_zUPJKPYmJXp2oBGju9H9JH-7fcgRIb-z8qBaovZ4Bf8y-fMO6NNZg1cTnLdR8Agl07RsPUOrZHty4zF4C7YdGer6tgpGbaukGY9uwpfewFIvCuOXWpyaFghlKJE5olc346PTqCaLwrIGhmmJHC_J23KBm96Cllh0w3X7U4YHdmRDKt3xo3nTHRsCd0pM8xW4SiKnFk4CqevseRa59GAQ9Ppu5P5gUwvpxw8rYkPCnerpyu_iSJoinVLgWOJoRefWqzO8mtN_EF2RZ04QZi_0Q"
    ["layout"]=>
    string(7) "default"
    ["option"]=>
    string(10) "com_mailto"
    ["tmpl"]=>
    string(9) "component"
    ["link"]=>
    string(40) "a9738b32019b618d686bd9a69d68c25b1a7b487b"
    ["cebbff4423bc7e9230300bc2d6e82f61"]=>
    string(1) "1"
    ["Itemid"]=>
    NULL
  }
@zero-24

This comment has been minimized.

Contributor

zero-24 commented May 3, 2018

Fixed thanks @Quy

@Quy

This comment has been minimized.

Contributor

Quy commented May 3, 2018

I have tested this item successfully on 65b0c3b


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20265.

<fieldset>
<?php foreach ($this->form->getFieldset('') as $field) : ?>
<?php if (!$field->hidden) : ?>
<div class="control-group">

This comment has been minimized.

@laoneo

laoneo May 4, 2018

Member

Why do you not use $field->renderField (); ?

This comment has been minimized.

@zero-24

zero-24 May 4, 2018

Contributor

I'm going to implement that when i got back at home today. Thanks!

This comment has been minimized.

@laoneo

laoneo May 4, 2018

Member

👍

This comment has been minimized.

@zero-24

zero-24 May 4, 2018

Contributor

fixed with the last commit. Thanks.

@infograf768

This comment has been minimized.

Member

infograf768 commented May 4, 2018

Tested fine here. Will mark test OK after the change suggested by @laoneo

@Quy

This comment has been minimized.

Contributor

Quy commented May 5, 2018

I have tested this item successfully on 7e70b61


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20265.

@Quy

This comment has been minimized.

Contributor

Quy commented May 10, 2018

Ping @infograf768 Thanks.

@zero-24

This comment has been minimized.

Contributor

zero-24 commented May 16, 2018

@infograf768 as the requested change have been implemented can you please do your test so we can move that into 3.8.8? Thanks!

mbabker added a commit to joomla-projects/privacy-framework that referenced this pull request May 17, 2018

Port my plugin plg_content_consentbox as plg_content_confirmconsent f…
…or the joomla core Fixes #6 (#12)

* inital port to the joomla core

* add com_mailto as supported form (requires joomla/joomla-cms#20265)

* install & update SQL & mark as core extension

* bump version to trigger drone

* new line & drone

* implement consentbox text based on the work by @brianteeman thanks!

* thanks drone

* new line

* doc block

* rename plugin to ConfirmConsent

* fix inine comments

* typo thanks @sandewt

* implement LanguageAssociations thanks @infograf768

* fix check

* move the update sql's to its own files to avoid merge conflicts

* fix postgresql file

* thanks @infograf768

* fix problems fund by @infograf768

* extend description

* implement modal support thanks @infograf768

* new text thanks @brianteeman

* drone

* add missing period

* thanks @brianteeman

* thanks @Sandra97

* remove Scalar types

* fix association

* fix comments thanks @sandewt

* class var type

* fix language string and us another namesprace

* the 2nd field is package_id

* the 2nd field is package_id

* the 2nd field is package_id

* add com_privacy.request

@zero-24 zero-24 modified the milestones: Joomla 3.8.8, Joomla 3.8.9 May 20, 2018

@zero-24

This comment has been minimized.

Contributor

zero-24 commented May 20, 2018

Well this is going to be delayed to 3.8.9. :( @infograf768 can you please mark your test now so we can finally release it in 3.8.9?

@infograf768

This comment has been minimized.

Member

infograf768 commented May 21, 2018

I have tested this item successfully on 7e70b61


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20265.

@infograf768 infograf768 changed the title from Finally com_mailto allow the usage of a captcha by using JForm to Finally com_mailto allow the usage of a captcha by using JForm May 21, 2018

@joomla-cms-bot joomla-cms-bot removed this from the Joomla 3.8.9 milestone May 21, 2018

@infograf768

This comment has been minimized.

Member

infograf768 commented May 21, 2018

RTC. Thanks.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/20265.

@joomla-cms-bot joomla-cms-bot added the RTC label May 21, 2018

@infograf768 infograf768 added this to the Joomla 3.8.9 milestone May 21, 2018

@zero-24

This comment has been minimized.

Contributor

zero-24 commented May 21, 2018

@mbabker mbabker merged commit d188e8a into joomla:staging May 23, 2018

5 checks passed

Hound No violations found. Woof!
JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed.
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/drone/pr the build was successful
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@joomla-cms-bot joomla-cms-bot removed the RTC label May 23, 2018

@zero-24 zero-24 deleted the zero-24:com_mailto_jform branch May 24, 2018

zero-24 added a commit to zero-24/joomla that referenced this pull request Jun 3, 2018

joomlabeat added a commit to joomlabeat/joomla-cms that referenced this pull request Aug 2, 2018

update fork (#1)
* [com_ajax] Change modules check (#19818)

* Add com_ajax check in getModuleList query

* Restore getModuleList query

* Change module check inside com_ajax

* Categories: Allow sorting by Associations (#19821)

* Categories: Allow sorting by Associations

* moving assoc sorting after access

* Article and contact modal should not use addslashes (#19826)

* Menu tems select field: no need to escape string value (#19828)

* Allow limiting calendar field to current year (#19846)

* Allow locking to min and / or max year to current year

* Update calendar.php

* Cleared non-set variable notices

* Update JHtml::calendar to support relative years limits (#19847)

* Simplify switch statement (#19849)

* [CS] Code style Fix some inline doc blocks for IDE hinting - round 1 (#19862)

* Fix Operator Spacing

* Fix inline doc blocks for IDE hinting

* Fix some docblocks and comments (#19863)

* Custom admin menus: Translating menu items titles (#19900)

* adapt default values (#19924)

* Use getter method (#19925)

* Custom Admin menu item edit: Display Title, Parent Item and Ordering translations (#19916)

* Admin menu item edit: Display Title, Parent Item and Ordering
translations

* Modifs suggested by izharaazmi

* cs

* display translated title only when item exists

* Correcting label alignment

* Cosmetic changes

* In theory, you may not always be working with the default database. So use the correct one. (#19474)

* [plugin][content] - loadmodule by id (#19362)

* [plugin][content] - loadmodule by id

* [plugin][content] - loadmodule by id

* getModuleById

* getModuleById

* id not found

* id not found

* simple syntax

* js side

* modal

* minify js

* regex only digits

* remove title

* use static load()

* regex

* cs

* return

* cs tabs removed

* simplify code

* clean code

* no style

* replace loadmodule with loadmoduleid

* cs

* replace loadmodule with loadmoduleid

* replace

* missed echo

* moved back

* Update loadmodule.php

fixed cs

* Revert "[plugin][content] - loadmodule by id (#19362)" (#19931)

This reverts commit 4172f79.

* Category Modal - add notes (#19131)

* Category Modal - add notes

If you add a note to a category then it is displayed in the category list but not displayed in the category modal (eg when you select a category for a blog menu item)

This PR adds the note, alias, and full path (on hover) to the modal to make it consistent with the list view

* space

* Please consider a blank line preceding your comment (#19936)

* Fix typo in editor field (#19938)

* [CS] long form function return types; round 1 (#19934)

* PHPCS2 - fixes

* 2 spaces after

* Expected 2 spaces after the longest param type

* [libraries][legacy][request] - fix php 7.1 warning not numeric (#19710)

* [libraries][legacy][request] - fix php 7.1 warning not numeric

* dry

* [com_fields] Normalise the request com_fields data (#19884)

* Normalise the request com_fields data

* CS

* PHP 5.3 compat

* Fields in com_fields array (#9)

Fields should be set in com_fields array and not direcly in $data

* Spelling

* Also normalise request data on front-end user profile save (#10)

* Also normalise request data on front-end user profile save

* correct context and option

* Handle 0 properly in empty check

* Simplify

* allowing value 0 to be saved (#11)

when setting a value of 0 in a text field the function empty will return true > setting the value to null

* correct needsUpdate when strlen (or count) = 1 which incorrectly equa… (#12)

* correct needsUpdate when strlen (or count) = 1 which incorrectly equaled to 'true'

* Update field.php

* Update field.php

* [event dispatcher]  - use strict comparison (#19907)

* [com_users] Fix display of custom field of value 0 (#19933)

* [CS] long form function return types; round 2 (#19935)

* PHPCS2 Auto Fixes

- Expected "boolean" but found "bool" for function return type
- Expected "integer" but found "int" for function return type

* Manual correction of docBlock spacing

* Manual correction of docBlock spacing

* Manual correction of docBlock spacing

* Manual correction of docBlock spacing

* Add some Member var comments

* Manual correction of docBlock spacing

* Add some Member Var comments

* return tag after access tag

* 3 spaces after var tag before the type

* add tag since 3.1 to Class Properties and align var tags

* add tag since 3.1 and align var tag

* adjust some tag alignments

* Two spaces after type

* integer not int

* Redirects Plugin - Make Relative or Absolute. (#19942)

* Redirects Plugin - Make Relative or Absolute.

* Orderiing and capital I.

* Update en-GB.plg_system_redirect.ini

* Update en-GB.plg_system_redirect.ini

updated as per @quys comment.

* Update en-GB.plg_system_redirect.ini

* Make calendar output usable in other css-frameworks (#19944)

* Revert changes expect css

* Make calendar output usable in other css-frameworks

* A min-width makes look better

* Fix for duplicate url check bug introduced by #19734 and support utf8… (#19950)

* Fix for duplicate url check bug introduced by #19734 and support utf8 on old_urls.
Couldn't find a solution to handle this within mysql. So a simple foreach handles it perfectly.

* Update link.php

* solved issue number #19930 (#19969)

corrected typo to ensure proper checkbox functionality

* Removed text-output and enabled a disabled tick box for consistency (#19974)

* Change to allow str_pos to match when the exclude term is at the root… (#19979)

* Change to allow str_pos to match when the exclude term is at the root of the path

* updated redirect.php - clearly I was tired with the first pr.

* Fix for #11070 (tag-category) - Improve also views newsfeed-category … (#16627)

* Fix for #11070 (tag-category) - Improve also views newsfeed-category and category-list

* Correctly modifying .LESS and regenerate .CSS (#16627)

* Simple enhancement to allow the user to make all Post Install Messages read (#19958)

* Simple enhancement to allow the user to make all Post Install Messages as read.

* Update message.php

* Update messages.php

* Update messages.php

* Added onDisplay function for handling the display of the button.

* removed blank lines.

* updated quotes around ints.

As per @alikon comments

* Added (int) just to be safe.

* Update messages.php

* Update messages.php

* Update messages.php

* [com_mailto] Add missing placeholder (#19999)

* Make sure items is an array. (#20000)

* Make sure items is an array.

Resolved #19998

* Update default_items.php

* Update tag.php

* Update tag.php

* Update tag.php

* Update tag.php

* [com_fields] Fix fields display HTML prepared 4 or 5 times per article, make it be prepared only twice (#17895)

* Pass field displayType (aka event type) to getFields

* Update getFields to respect the 'display' parameter of every field

* Update onContentPrepare to respect 'display' parameter of every field

* Prepare for manual display

* Do not create $item->jcfields multiple times

* Revert the code for manual display to always prepare the field value

* Wrong function name

* Fix docblock

* Better comment for parameter of getFields method

* fix media field in ISIS Template (#17205)

* fix media field in ISIS Template

* fix media field in ISIS Template

* [3.x] New sessiongc plugin is not declared as core plugin for manifest cache refresh (#20038)

* add sessiongc plugin to the core plugins

* alphasorting thanks @brianteeman

* [module] [articles category] filter by multiple tags (#19983)

* [module] [articles category] filter by multiple tags

* multiple tags

* spelling

* [com_finder] Remove unused params (#20009)

* [com_finder] Unused params

* Update en-GB.com_finder.ini

* Update sample_learn.sql

* Update sample_testing.sql

* Update sample_learn.sql

* Update sample_testing.sql

* Update sample_learn.sql

* Update sample_testing.sql

* Update jos_menu.csv

* Restore and deprecate strings

* Two new fonts for CodeMirror: IBM Plex Mono, Nanum Gothic Coding (#20017)

* CategoryEdit field published filter (#20018)

* Smart Search: Highlighting terms also in fulltext when using readmore (#20019)

* Smart Search: Highlighting terms also in fulltext when using readmore

* parsing summary + body to get text only

* Escape full query in NestedTable debug mode (#20024)

* Changed viewname filter in RouteHelper (#20031)

* Fix GMail plugin so it doesn't crash and burn on 4.0 upgrades (#20043)

* Tweak build script for added flexibility (#19848)

* Refresh Manifest Cache failed: Extension is not currently installed (#19560)

* Refresh Manifest Cache failed: Extension is not currently installed

PR for #17604

Change the message to include the name of the extension.

I have no idea how to test this - sorry - only code review - unless someone knows how?

* partial revert

* revert comment

* Remove rtrim() since it allows invalid emails (#20080)

* Custom Fields toggle display on read only rights (#20068)

* [com_fields] Normalise the request com_fields data (#19884)

* Normalise the request com_fields data

* CS

* PHP 5.3 compat

* Fields in com_fields array (#9)

Fields should be set in com_fields array and not direcly in $data

* Spelling

* Also normalise request data on front-end user profile save (#10)

* Also normalise request data on front-end user profile save

* correct context and option

* Handle 0 properly in empty check

* Simplify

* allowing value 0 to be saved (#11)

when setting a value of 0 in a text field the function empty will return true > setting the value to null

* correct needsUpdate when strlen (or count) = 1 which incorrectly equa… (#12)

* correct needsUpdate when strlen (or count) = 1 which incorrectly equaled to 'true'

* Update field.php

* Update field.php

* Custom fields view on form via toggle on read-only rights

* fix back-end new article

* first / seperate check on read-only access

* refactor code so show_on parameter is part of helper function

* implement inherit value in fields + language things

* loadmodel only when needed

* changed function comment

* change values order so default value (inherit) is displayed first

* Must use self:: for local static member reference

* Fixed page with multiple codemirror editors fields with different syntax highlighting (#20063)

* Fix for: Can't choose module using editor plugin if you search first (#20005)

* fixit

* cs

* Update modal.php

* Basic check to make sure the bulk import seperator is being used. (#19982)

* Basic check to make sure the bulk import seperator is being used.
Added Import State function as to how the urls should be imported, enabled or disabled.

* force int.

* Update config.xml

* Update links.php

* Update en-GB.com_redirect.ini

* Update config.xml

* Update links.php

* Update en-GB.com_redirect.ini

* Update config.xml

As per standards i.e:
https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_config/model/form/application.xml

i.e. endtag inline with options and closing tag inline with opening tag.

* Update links.php

* Changed none selected to none, to be used when there are none availab… (#19977)

* Changed none selected to none, to be used when there are none available to select and when none are selected.
Set select to be readonly is they cannot select any options

* Update plugins.php

* Update plugins.php

* Update en-GB.ini

* Update en-GB.ini

* Update plugins.php

* Update plugins.php

* Update plugins.php

* Update plugins.php

* Update plugins.php

Space/tabbing for drone.

* Update plugins.php

* Corrected bug on empty subject of com_mailto (#19956)

* Corrected bug on empty subject

If the subject is empty, the posted value is an empty string (exists) so the default value is never added.

* Updated code to include null value

* text corrections (#20111)

* Typo and copy paste error (#20123)

Someone couldn't spell and then someone else must have copy pasted the error

No idea how to test but this has been wrong since 3.5

* correct the use of the use command and move it below the defined command (#20130)

* Prepare 3.8.7 RC

* Reset for dev

* Add a security policy (#20163)

* Add a security policy

Many projects now add a SECURITY.md document to their repository. Often this is related to using HackerOne but not always.

This PR adds a policy to our github repo. It is based on the existing policy on the d.j.o web site

The file doesn't need to be distributed so it has been added to the exclude list in the github repo.

* tweek

* copy paste

* Update SECURITY.md

* Update SECURITY.md

* Prepare 3.8.7 release

* Reset for dev

* Introduce CODEOWNERS (#20137)

* Tidy writeDynaList() (#12184)

* Cleaned writeDynaList() in core.js

* Removed explanation comments

* removed all API changes

* updated compressed core.js

* [fix] publish/unpublish does not work with tables using null as default checked_out value (#20204)

* Fix overwrite by .table-striped (#20180)

Fix overwrite by administrator/templates/isis/css/template.css line 1787

table.table-striped tbody > tr:nth-child(odd) > td,
table.table-striped tbody > tr:nth-child(odd) > th {
	background-color: #f9f9f9;
}

* Fix overwrite by .table-striped (#20179)

Fix overwrite by administrator/templates/isis/css/template.css line 1787

table.table-striped tbody > tr:nth-child(odd) > td,
table.table-striped tbody > tr:nth-child(odd) > th {
	background-color: #f9f9f9;
}

* Tooltips not loading com_users (#20177)

The edit profile form is not loading the bootstrap tooltip code. So any tooltip (not popovers) are displayed as html as seen in the screenshot below when TFA is enabled.

This was spotted by @o2tsen and @sandewt while testing #20051 but as it is a bug effecting more than that PR I have created a new PR. (a pr should only fix one problem)

* [a11y] Headings consecutive order Debug Console (#20167)

> Headings communicate the organization of the content on the page. Web browsers, plug-ins, and assistive technologies can use them to provide in-page navigation.

> Skipping heading ranks can be confusing and should be avoided where possible: Make sure that a < h2> is not followed directly by an < h4>, for example.

Source (https://www.w3.org/WAI/tutorials/page-structure/headings/)

The headings were probably chosen for cosmetic reasons and not structural reasons which they should have been

This PR changes the heading in the debug console from h1 to h2

There is a very small visual change as a result but imho the benefits outweigh the small cost

* [a11y] Headings consecutive order (#20166)

* [WIP] [a11y] Headings consecutive order

> Headings communicate the organization of the content on the page. Web browsers, plug-ins, and assistive technologies can use them to provide in-page navigation.

> Skipping heading ranks can be confusing and should be avoided where possible: Make sure that a <h2> is not followed directly by an <h4>, for example.

Source (https://www.w3.org/WAI/tutorials/page-structure/headings/)

This PR changes the heading in the plugin and modules from h3 to h2 and in the template styles to h4

### todo
joomla.edit.item_title layout uses h4 but before I change it I need to check everywhere that it is being used

* layout

* Fix typos in InstallerControllerUpdate (#20154)

* Fix typos in InstallerControllerUpdate

* Fix same error on other places. Thanks @Quy

* Remove similar unnecessary code

* Revert "Remove similar unnecessary code"

This reverts commit 56410c0.

* One more

* Revert "One more"

This reverts commit aa1b101.

* [com_contact] Don't hide contact filter form (#20126)

* Update default_items.php

* Correct implode order.

* Codestyle

* More codestyle

* Fix for JUserHelper::addUserToGroup() when user group title is a number. (#20091)

* Update UserHelper.php

* Update UserHelper.php

* Fix count() in PHP 7.2 (#20044)

* [com_content][Multilanguage] - remove duplicated queries (#19683)

* [com_content][Multilanguage] - remove duplicated queries

* cs

* add $db->qn()

* removed ()

* Make CodeMirror work in repeatable subforms (#12542)

* One function to initialize any and all CodeMirror instances rather than individual functions to initialize one-by-one. Call on page load and also on subform-row-add

* Minor js changes

* Codemirror fullscreen modifier message (do we still need this?)

* Call the popover init function when creating new subform rows. (#20222)

* Call the popover init function when creating new subform rows.

* Update teh popover test

* [a11y] post-installation message in control panel (#20220)

> Headings communicate the organization of the content on the page. Web browsers, plug-ins, and assistive technologies can use them to provide in-page navigation.

> Skipping heading ranks can be confusing and should be avoided where possible: Make sure that a < h2> is not followed directly by an < h4>, for example.

Source (https://www.w3.org/WAI/tutorials/page-structure/headings/)

The heading was probably chosen for cosmetic reasons and not structural reasons which they should have been

This PR changes the heading for the post-installtion message i the control panel from h4 to h3

There is a very small visual change as a result but imho the benefits outweigh the small cost

* Solves issue #20195 (#20214)

* [plugin][search][content] give priority on result when title is matched (#20197)

* [plugin][search][content] give priority on result when title is matched

* Missed comma

* Add relevance weighting according to number of words

* Relevance by number of words in title only, removed introtext relevance

* Fix order string concatenation

* You've Got Mail (#20162)

* You've Got Mail

Since 2003 the internet has changed. We no longer get a message to say that we have a message. Instead we just give you the message. You probably never use the messages component (especially for private message to a specific user) as they are the equivalent of https://www.youtube.com/watch?v=gFBLiHpkcOk

The Joomla com_messages component is used in two instances

1. Notification of a new article
2. Sending a message to another user

### Current email for Notification of a new article
Subject: A new private message has arrived from [sitename]
Body:
> Please log in to [link] to read your message.

### New email for Notification of a new article
Subject: New message from [user] at [sitename]
Body:
> New Article
A new Article has been submitted by 'user' entitled 'blog post'.
> Please log in to [link] to read your message.

### Current email when sending a message to another user
Subject: A new private message has arrived from [sitename]
Body:
> Please log in to [link] to read your message.

### New email when sending a message to another user
Subject: New message from [user] at [sitename]
Body:
> [subject]
 [message]
[login link]

## Backwards Compatibility
No issues. The message contains the old login message PLUS the content of the message. So if you were using this message in a custom workflow there is no change required to that workflow

* subj

* cs

* add new string and mark existing string for deprecation

* Support Codemirror's included key mappings (#19833)

* Support Codemirror's included key mappings

* Use a list instead of radio buttons

* Don't expose LDAP authentication usage. (#18531)

* Don't expose LDAP authentication usage.

* Use new language strings for LDAP authentication.

* remove bind string

* remove bind string

* use connect string

* alpha order

* alpha order

* Handle the case that JFolder::files returns 'false' (#11715)

* Initialize tooltips when a new a row is added in a subform (#12996)

* Initialize tooltips when a new a row is added in a subform

* Fix a test since the init function has changed

* Replace htaccess which was removed inexplicably

* Missing space (#20260)

* Tiny JLanguage::loadLanguage() code improvement (#20257)

* [com_content] Remove redundant check (#20254)

* Update articles.php (#20245)

* [com_config] Capitalize label (#20299)

* Implement Issue Templates as discussen in #20298

joomla#20298

* [fix] openbase_dir processing (#20280)

* CodeMirror updated to version 5.37.0 (#20269)

* Use title from menu item (#20267)

* Change the defaults for new installs to disable com_mailto in articles (#20266)

* change the defaults for new installs to disable com_mailto in articles

* change more defaults to 0 thanks @Quy

* Don't enable sending the PW on new installs (#20247)

* disable plaun pw sending per default on new installs

* make sure we have to set a PW when we dont send the plain pw via mail

* chagne the default in the xml to thanks @Quy

* update the sample data thanks @Quy

* make sure the mail to user does not include the PW too

* Revert "make sure the mail to user does not include the PW too"

This reverts commit 9095819.

* address comments by @Bakual thanks

* Optimization and fix of multilingual associations and add layouts to com_content links (#20229)

* Revert #19681

* Revert #19683

* Remove addition query and check after #19314

* Add layout to com_content links

* Add layout to com_content article associations

* Add layout to category associations

* add advanced where clause param

* add advanced where clause for com_content article associations

* drone code formatting fix

* drone code formatting fix

* drone code formatting fix

* Line exceeds 150 characters

* PHPCS rules

* Remove parenthesis

* Change queryKey

* Fix typo

* Improve description

* Add checksum generation to the build script

* Hide Enabled/Disabled users column headers and be a11y compliant (#20279)

* Code mirror autofocus issue (#20270)

* Pass the autofocus param to the plugin.

While we're at it, pretty up this function a little.

* Get autofocus from $params, not $this->params.

Also, make sure we only autofocus one CodeMirror per page.

* We won't be needing these things anymore.

* Keep the unused strings.

* Add a deprecated flag in database query for a few union/unionAll/unionDistinct (#20219)

* Add showon attribute (#20156)

* [com_contact] Display 0 value with custom field (#20124)

* Display 0 value

* Display 0 value

* fix custom fields with tab format (#20023)

* Show a sample editor on the CodeMirror plugin config page. (#17042)

* Show a sample editor on the CodeMirror plugin config page.

* Call it a 'Preview'

* Reordered attributes as per the Joomla coding standards for xml

* hiddenFieldsets & configFieldsets needs to be defined (#16856)

* hiddenFieldsets & configFieldsets needs to be defined

* use getter

* Fix subform repeat counter. (#19693)

* Fix subform repeat counter.

As normal rows should be zero indexed.

When length === count === 0, first row should be 0.

Note: PHP creates existing rows with zero index - so if min=1, you
currently get row 0 on form load then row 2, 3 etc. as you add them.

* Update unit tests

* Additional test fixes.

* Fix typo in comment.

* Reminify subform-repeatable.js

* Fixing so that editors-xtd plugins works with com_ajax (#17939)

* Fixing so that editors-xtd plugins works with com_ajax

* Code formatting fix

* [Plugins] Add filters to manifest files. (#20410)

* URL Menu Item Type link should be required. (#20392)

* Fix up the protostar template.js (#20224)

Don't use unnecessary closure, just use jQuery ready function.
Use javsacript strict mode
use event delegation where possible
Make tooltips and button groups work properly with repeatable subforms

* Bootstrap alert compatible (#18909)

* Bootstrap alert compatible

Alert compatibility with new Bootstrap versions.

* Strict comparison

* Bootstrap alert compatible minified file

Alert compatibility with new Bootstrap versions.

* Add PHP 7.3 polyfill (#20441)

* [com_finder] Fix regression #19969 (#20411)

* [com_finder] - fix update inner join syntax for postgres (#19964)

* [com_finder] - fix update inner join syntax for postgres

* drone fix

cs

* quoteName vs qn

* cs

* Update tag.php (#19951)

There is a bug in getItem, the function parameter is called $pk, but in code it is using $id, so whenever the parameter  is passed it is not used in the function.

* Change the Administrator group's filtering to use the default blacklist

* Add postinstall message explaining revised default settings

* Prepare 3.8.8 Release Candidate

* Reset for dev

* Typo in nl-NL installation language file (#20460)

* Update joomla/filter package

* Update joomla/application package

* Store plaintext passwords in a separate options key, do not display passwords on summary page

* Prepare 3.8.8 release

* When JFeed was moved, old files were never deleted

* Reset for dev

* Correctly escape the random image module output (#20533)

* Finally com_mailto allow the usage of a captcha by using JForm (#20265)

* finaly com_mailto allow the usage of a captach by using JForm

* remove unused $session variable

* Line ending to LF

* fix typo thanks @brianteeman

* no need to use set and get thanks @mbabker

* expend the popup & fix the auto population thanks @Quy

* captcha handling

* fix the captcha check

* commit header check thanks for reporting @brianteeman @mbabaker and for the improved code @Quy

* style changes affected hight thanks @brianteeman

* line ending again

* close <fieldset> thanks @Quy

* make the iframe a bit bigger  thnks @Quy

* commit proposed changes by @Quy

* implement suggested improvments

* use <?php echo $field->renderField(); ?> thanks @laoneo

* Remove check for a valid form from two places in plugins (#20277)

* If that is not a valid form our system is broken at all

* Typehint the form argument

* Fallback to integer (#20338)

* [plg_user_profile] Misc fixes (#20412)

* Update profile.xml

* Update profile.xml

* Update profile.php

* Update tos.php

* [plg_fields] Manifest cleanup, filters, Editor plugin fix (#20422)

* Update calendar.xml

* Update checkboxes.xml

* Update checkboxes.xml

* Update editor.xml

* Update editor.xml

* Update editor.php

* Update imagelist.xml

* Update imagelist.xml

* Update integer.xml

* Update integer.xml

* Update list.xml

* Update list.xml

* Update media.xml

* Update radio.xml

* Update radio.xml

* Update checkboxes.xml

* Update list.xml

* Update sql.xml

* Update sql.xml

* Update textarea.xml

* Update textarea.xml

* Update url.xml

* Update url.xml

* Update usergrouplist.xml

* Update usergrouplist.xml

* Restore empty value

* [plg_system] Manifest file filters (#20456)

* [CS] fix some doc comment types (#20522)

* PHPCS2 manual fixes

- Variables passed by reference should not have the `&` prefixed in the doc comment
  - Joomla.Commenting.FunctionComment.MissingParamTag
  - Joomla.Commenting.FunctionComment.ParamNameNoMatch
- correct return statement

* exclude administrator/components/ folder

"Having a "&" in the docblock (whether it's in front of the type or name) is not valid. References are to be expressed solely by the function/method declaration."

so we need to exclude this sniff while we trasition to the PHPCS 2.x version

* [styles] Fix checkboxes/buttons not clickable under Menu Assignment in Chrome (#20542)

* Remove css

* Remove css

* Remove css rtl

* cs

* [Regression] Menu item type url with rel attribute nofollow (#19949)

* Menu item url attribute rel nofollow with target blank

* logic

* cs

* cs fix - thx Quy

* concat

* To many elements to index (#13868)

* To many elements to index

I don't know why in the query `#__tags` is twice. Once as a `a` and second time as a `b`. For me it works perfectly when we remove `b`. I had a problem with this - for 1100 tags on my websites, Smart Search Indexer found more than 1233000 items to index.

* Mistake with query

I corrected a bug with calling the `#__tags` table in the query.

* Update joomla/filter package (#20579 and #20580)

* Fix folder browsing and file upload that broke in 3.8.8 due to escaping (#20586)

* Fix de-escaping of slash in folder name

* code style

* Update popup-imagemanager.js

* standardise contact strings (#20577)

as spotted by @MartijnMaandag

* Enable to change FormData in com_menu (#20313)

* Set as object to allow for alterations

* Cast to object directly

* fix typo in installation string (#20607)

It is IN each catefgory not ON each category

INSTL_DEFAULTLANGUAGE_INSTALL_LOCALISED_CONTENT_DESC="If active, Joomla will automatically create one content category per each installed language. Also, one featured article with dummy content will be created in each category."

* Resync deleted files list back to 1.7.3 tag (#20564)

* Add additional check that view exists before proceeding (#18757)

* Add additional check that view exists before proceeding

We assume the array key exists with view but not ID. I have come across some installations where view does not exist and it causes php warnings. So just check it does exist before actually proceeding further as we do with ID.

* Update legacyrouter.php

* Update legacyrouter.php

* Default installation value in configuration.php-dist (#20655)

* Default installation value in configuration.php-dist

The config file to use in manual installs has incorrect advice and paths for tmp and logs as they are referring to server paths and not paths within a joomla installation

* oops

* CodeMirror updated to 5.38.0 (#20636)

* Bump Composer dependencies (#20583)

* Bump Composer dependencies

* Bad user data

* Try changing test to fix PHP 5.3 behavior

* Another attempt at fixing this

* Try upstream changes without tag yet

* Back to empty array

* Now with release tag

* Update app package with UA fix

* [fix] Error decoding JSON data: Syntax error (#20663)

* [fix] Error decoding JSON data: Syntax error

* [test] ensure that empty params do not cause user loading issues

* Don't try to json_decode() a null value (#20675)

* Don't try to json_decode() a null value

* Add Registry package fix to make sure broken code can continue to work

* Joomla\CMS\Categories\Categories fix (#20680)

A constructor can't return a value.

* [CS] fix some doc comment types (round 2) (#20647)

* PHPCS2 manual changes

- Doc comment for parameter does not match actual variable name
- Comment closer must be on a new line (just convert to single line comment)
- be more specific with the rules we want to exclude

* fix spaces

Expected only 2 spaces after the longest variable name

* one more fix for doc comment

- Doc comment for parameter does not match actual variable name

* [Newsfeeds] Use item link instead of guid. (#20717)

* Feed links

* Restore http check for now

* CS

* Some cleanups

* Verb wrong tense (#20708)

* Verb wrong tense

Clearly using the present tense is incorrect for an error message and it should be the past tense

* no error

* Replace UCMType::getType() by UCMType::getTypeByAlias($this->alias) (#20672)

* JTableAsset::loadByName(): replace two sql queries by one (#20671)

* Display 404 page if banner not found (#20664)

* Update strings (#20591)

* Fix stale session data wrongly overriding configuration file when editing global configuration (#20590)

* Fix stale session data wrongly overriding configuration file when editing global configuration

* Use $this variable

* [com_menus] - fix php warning (#18471)

* Singular not plural (#20751)

* Singular not plural

Obvious correction. sorry I dont know what I did to display the error.

* Update en-GB.mod_sampledata.ini

* [com_tags] Image caption in Tags view (#20648)

* Put all build packages in one directory (#20745)

* [com_tags] Tagged item link in feed (#20723)

* [com_tags] Tagged item feed links

* Nesting error

* [mod_tags_similar] Link cleanup (#20730)

* [mod_tags_similar] Link cleanup

* CS

* Com_finder meta data (#20772)

* Com_finder meta data

com_finder aka smart search was not following any meta data set in the menu item

#### to test

 - setup and configure smart search
 - create a menu item for smart search and set the meta description and meta keywords
 - open the menu item on the front end - check source and the meta data set in the menu is not present
 - do a search
 - check source and the meta data has been generated from the search

Apply this PR
 - open the menu item on the front end - check source and the meta data set in the menu is present
 - do a search
 - check source and the meta data has been generated from the search

* remove copy paste error

* Add UTF-8 encoding to phpcs in .drone.yml (#20769)

* Login to view the article redirect fix (#20732)

Without the view=login parameter JRoute can not resolve the Itemid. 
So the menu item assigned to 'login' is not active.

Seems there is a related hack here:
/com_content/views/article/tmpl/default.php ~line 143

This can also cause problems with third party extensions like sh404sef.

* Mouse over edit - rename (#20743)

At the time this feature was introduced we weren't happy with the name "Mouse over edit" but couldn't really think of anything else.

I believe that today the term "inline editing" is far more understood and is a more appropriate name

* Better mode autoloading. (#20746)

* Respect access of editor plugin inside profile form (#20713)

* Respect access of editor plugin inside profile form

* Use value string 'true', '*' instead of integer for useaccess parameter

* Additional Escaping Of Paths In com_media (#20616)

* Additional Escaping Of Paths In com_media

* Additional Override Escaping

* carefully revert some escaping (security)

* more specific and special reverse encoding of slash

* C&P Error

* [com_tags] Images in Tagged Items view (#20601)

* [com_contenthistory] - fix for not delete keep forever items (#20430)

* [com_contenthistory] - fix for not delete kepp forever items

* don't stop delete

* cs

* cs removed spaces at end of line

* Fixing com_fields integration in com_contact (#20413)

* Fixing com_fields integration

Custom fields in com_contact currently doesnt work propertly. Chosing a category on which they should appear doesn't work cause fields plugin has no informations about contact catid as not data is passed to form when contact form is displayed. This fixes it.

* Fixing code style

* Removing whitespace, fixing spelling

* enable mod_sampledata extension

* [ModuleHelper] owncache param as integer (#20626)

* Changed return 0 to continue

To prevent the entire function to quit, it just needs to go to the next file.
Fix joomla#17954

* [mod_articles_category] Fatal error (#20834)

* Prepare 3.8.9 Release Candidate

* Reset for dev

* Very small language file cs (#20844)

* Whitelist allowed global access

* Bump joomla/input package

* Use new method for dynamically resolving Input based on request method

* Prepare 3.8.9 release

* Reset for development

* Fix the autoloader for Windows platforms (#20877)

* Prepare 3.8.10 release

* Reset for dev, again

* Don't delete file that is still in use (Fix #20881)

* [plg_user_profile] Add RTL check to ToS field

* FIX: Install Languages Manager language badges wrongly set to not match since upgrade to 3.8.10 (#20906)

* FIX: Install Languages Manager language badges wrongly set to not match
since upgrade to 3.8.10

* Correcting Installed languages too

* Replace the URL parameter "limitstart=0" with "start=0" if the SEF mode is on (#19452)

* Replace &limitstart=0 to &start=0 if SEF is ON

* Replace URL param start=x to limitstart=x even if start is 0

* Remove non callable array items from field categories (#20093)

* Update default.php

* Update fields.php

* Update default.php

* Update fields.php

* Update fields.php

* Update fields.php

* [Site Modules] Manifest file filters, part 1 (#20845)

* [Modules] Manifest file filters

* Chosen placeholders

* [cs] leading spaces (#20858)

* [cs]leading spaces

While checking #20844 I saw that these strings all have a leading space which should not be there

* oops

* [Site Modules] Manifest file filters, part 2 (#20856)

* [Site Modules] Manifest file filters, part 2

* Update default.php

* Update default.php

* Update default.php

* [Site Modules] Manifest file filters, part 3 (#20857)

* [Admin Modules] Manifest file filters (#20868)

* [Admin Modules] Manifest file filters

* Default values

* Fix OpenSearch implementation

* [mod_articles_category] Showon

* Add showon to levels

* Update string

* Remove CSS

* Add security issue template

* Formatting

* Let the table check the data before storing.

* [Templates] Escape sitename (#21008)

* Checking return value and catching whole stuff

* Updating Bosnian installation language files

* Updated 3.9-dev and added 3.10-dev (#21097)

* Exceptions in Joomla\CMS\Table\Usergroup refer to categories (#21098)

* Exceptions in Joomla\CMS\Table\Usergroup refer to categories

Pull Request for Issue #21092 .

### Summary of Changes
remove todo that is clearly a copy paste error from somewhere else
change exception message to usergroups from catergory

NOTE the first exception` if ($this->id == 0)`
I am not sure if that should even be present - doesn't look like it to me - please advise

* Update Usergroup.php

* Deprecate sef_advanced strings (#21116)

* [com_content] Featured articles tag filtering (#21138)

* Update ModuleHelper.php (#20273)

* The JPATH_ constants are not magic strings (#21151)

* Remove if/else in user debug models that can never hit else conditions (#21188)

* [com_content] Featured articles access filter (#21168)

* Media manager doesn't obey relative pathes for video files (#21156)

* correct video url

fixes joomla#21145 (comment)

* fix

* Speed up regex in emailcloak plugin (#20956)

* Speed up regex in emailcloak plugin

* Fix comment

* Fix subform.repeatable-table multi field styling (#20209)

* Fix subform.repeatable-table multi field styling

* Fix staging less/css

* revert previous

* Update FormField.php (#20168)

* Update HTMLHelper.php (#19770)

* Fix a problem with older Joomla versions language packs registration and update sites rebuild (#16355)

* Fix a problem with older language packs

Language packs installed under older Joomla versions are registered in the database under their package name, not under their name and since rebuild function fails on them.

e.g. package with 
  <name>Afrikaans (South Africa)</name>
  <packagename>af-ZA</packagename>

has name column in #_extensions table set as 	af-ZA and since existing query fails.

* Update updatesites.php

* missing single quote (#21213)

* Add a note field from the #__fields_groups table to the field list query

* [3.x FIX] Getting the correct associations in sidebyside view for contact and newsfeeds (#21180)

* [3.x FIX] Getting the correct associations in sidebyside view for
contact and newsfeeds

* undefined property

* correction in js

* [com_menus] Remove useglobal (#21095)

* [fix] fixed PluginHelper import of xtd-editors plugins (#17907)

* [fix] fixed PluginHelper import of xtd-editors plugins

* [imp] small adjustment and comment

* Fix errors exposed by strict (#12544)

* Don't need a closure, jQuery ready function is enough. Use strict.

* Fix errors exposed by strict. Undeclared variables. wrong regex backreference

* Fix some undeclared/wrongly declared variables

* Avoid some redundant calls of $(this)

* Remove some redundant (also wrong) code.

* [3.8] Make the text clearer (#20940)

* make the text clealer

Make the PLG_TWOFACTORAUTH_TOTP_STEP3_TEXT text clealer.

* thans @brianteeman

* Adding lithuan language files.

* Updating lithuanian language strings for TinyMCE

* Appended input fields (#21257)

PR for #12448

## Steps to reproduce the issue

Effects all appended input fields. Eg. Navigate to a single article menu item (Menus -> MainMenu -> Home) and resize the screen below 767px. Input fields extend outside the viewport.

* CSS for flags (#21254)

Fix for #13678 reported by @gwsdesk

* Add "Reviewed by Hound" badge (#21263)

* Adjust doc block to ensure file is included in patch packages due to accidental deletion with last release's post-update script

* Prepare 3.8.11 release candidate

* Reset to dev

* Prepare 3.8.11 release

* Bump to 3.8.12-dev

* Added security scan tool to CI setup (#20796)

* Added security scan tool to CI setup

* Updated ordering

* fixed command name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment