[meta] Priorities for 2023-12-06 release of Drupal 7

Assorted todo lists carried over from #3325849: [meta] Priorities for 2023-06-07 release of Drupal 7.

These are not necessarily in priority order.

Top priorities

• #3378257: harden D7 against PHP Gadget Chain Drupal7/RCE1
• #3304807: [META] Make Drupal 7 compatible with PHP 8.2
• #3380823: [META] Make Drupal 7 core compatible with PHP 8.3
• #3357707: Backport the Announcements Feed core module to Drupal 7
• #3373222: Fallback to feed item description does not strip HTML, only takes 40 chars even though field allows 255 - aggregator feeds from mastodon don't work well out of the box (topical!)

Simple fixes

• #2540830: Sanitize watchdog() link in dblog_event()
• #808416: Document that clock drift will cause lock system to fail
• #2801329: [D7] Remove system.cron.js and libraries definition
• #2677118: Wrong usage of watchdog in system.api.php
• #1721506: In update.php instructions, move database backup after maintenance mode.
• #3372666: D7 Backport: Links with "@" are converted into email addresses even if there is no domain suffix present
• #3384545: Update the list of reserved keywords in DatabaseConnection_mysql
• #764408: [D7] Drupal.t() does not respect locale_custom_strings
• #3348669: system.mail.inc: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated
• #2847553: XSS attribute handling mangles valid attribute names containing numbers (D7 backport)
• #3195566: Add a note on MySQL 8 sql_mode override
• #3362409: Vertical tabs result in jQuery error when overlay-context hashtag is added to URL
• #2180877: file_validate_image_resolution() doesn't recalculate the image dimensions after checking $maximum_dimensions
• #3386936: [D7] Remove unused/non-working function getSchemaUpdates()
• #2978218: Add "delete" link on node Translate tab Operations

Important fixes

• #3326994: [D7] Username enumeration via one time login route Security improvement - username disclosure
• #2880910: [D7] Nothing clears the "5 failed login attempts" security message when a user resets their own password
• #3383556: [D7] Username disclosure in /user/password
• #3384672: [D7] PostgreSQL queries that fail in a transaction break the entire transaction
• #2722453: [D7] Improve cron logging
• #3384397: [D7] When adding a new menu link, restrict the available parents to the current menu
• #2139651: The 'access' property of hook_user_cancel_methods_alter() methods is never used
• #3032209: Allow users to update their settings regardless of duplicate email addresses in the users table.
• #2539478: Allow image fields to use any extensions the current image toolkit supports (instead of hard-coding jpg, png and gif only) Remove hardcoded image files extensions.
• #2749007: Autocomplete broken for servers enforcing clean URLs Security Regression
• #1158322: Add backtrace to all errors
• #3282349: Older PHP versions set SameSite attribute on insecure session cookie
• #3255713: [D7] Login fails and no warning is issued if cookies are not enabled This is a D7 backport of #2946: Login fails and no warning is issued if cookies are not enabled, an 18 year old issue that was marked as major and committed to drupal 9.3.x in June 2021.
• #2752783: [D7] file_unmanaged_move() should issue rename() where possible instead of copy() & unlink() Important fix. Mcdruid urging commit. @joseph.olstad: "D8 has this already. It is a good idea."
• #3015142: drupal_goto short circuits and doesn't set things to cache
• #1415278: Using entity_get_info in a hook_hook_info results in an incomplete module_implements cache.
• #2819375: Do not make entries in "cache_form" when viewing forms that use #ajax['callback'] (Drupal 7 port)
• #3182166: [D7] preg_split in _filter_url breaks for long html tags
• #1209226: Avoid slow query for path alias whitelists
• #1978176: Build menu_tree without loading so many objects @joseph.olstad: "... the performance improvement is huge! .. After several years I see no credible reports of an issue with this patch"
• #2783153: [D7] Convert drupalSettings from JavaScript to JSON, to allow for CSP in the future FabianX said it looks good, has updated tests
• #2970929: [D7] Support X-Forwarded-* HTTP headers alternates Important backport for reverse proxies and load balance.
• #1899126: [D7] Add wrappers to fix permission checks Required for POSIX filesystem. Fixed in D8? @orlitzky: "I'm just going to keep updating the patch for drupal-7.x for the rest of my life.""I'll keep posting patches until I don't have to any more."
• #2418755: Path alias filter by system path (D10 patch, still Needs review) includes 6 year old patch for D7 in comment #1 that has been RTBC and without the patch "it's very hard to find alias which contains few slashes in path."
• #3210388: Potential dataloss when opting in to "Avoid field storage write when field content did not change" and changing the bundle type of an existing entity
• #3176634: [D7] node_access filters out accessible nodes when node is left joined Issue identified as major. D8/9 fix pending.

Unsorted fixes

• #3284424: pg_attribute.attrelid error
• #3026560: After upgrade to 7.63, 8.5.10, 8.6.7, 9.4.0 get TYPO3 phar error for drush
• #1982810: Core entity_get_controller gets a NULL controller class
• #2345695: Users are able to upload 0-byte images
• #3304385: [D7] node/add page misses content types when menu links are moved or disabled
• #2456193: Menu links - not possible to create numeric paths
• #111702: Set fixed "from:" and add "Reply-to:" to comply with DMARC
• #2962374: [D7] Path alias validation should test for relative path, no trailing slash requirements
• #2793297: [D7] Automatically shorten cid's in DrupalDatabaseCache
• #1992010: Reverting to revisions prior to addition of field translations is broken Issue is 9 years old, marked as critical and has patch that is RTBC and passes automated tests. Are tests sufficient?
• #1328696: Problem with _drupal_wrap_mail_line and attachment files Attachment of docx file or files with long names results in email that is not correct. Fixed in D8, backport for D7 has patch.
• #2847484: Support boolean attributes in drupal_attributes()
• #691932: Add hook_field_schema_alter()
• #3035571: [D7] ImageStyle::transformDimensions unable to deal with all effects.
• #1565892: node_type_delete() doesn't check the value returned from node_type_get_type()
• #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls Needs work and needs CR
• #139015: breadcrumbs wrong on dblog event detail pages Issue seems in good shape, needs a bit of work as of Aug-4
• #1951408: Core Update manager doesn't correctly handle "status" UPDATE_NOT_CHECKED Includes D7 core patch in comment #16 that passes tests and is RTBC. Required for update_advanced module that is used by 2,700 sites. Does not appear to be relevant to D8/D9.
• #498752: Partial word search for Drupal 7 Includes working patch from 5 yrs ago. Was closed as won't fix feature request. Now that a similar feature is proposed for D9 core #103548: Partial Search in Drupal Core maybe it's worth considering.
• #2026817: node_access() should static cache by vid and not nid.