[meta] Priorities for 2021-04-07 release of Drupal 7

Assorted todo lists carried over from #3179845: [meta] Priorities for 2020-12-02 bugfix release of Drupal 7.76 / 7.77.

These are not necessarily in priority order.
Almost all of these fixes are viewed by some people to be important and may be included in their drush make or composer.json files.

Done

• #3200407: [PHP8] ArgumentCountError: Too few arguments to function _drupal_error_handler() and friends
• #3185918: [PP-1] [PHP 8] Fix DatabaseConnection::query signature mismatch with PDO::query
• #3156847: [PHP 8] Parameter order fixes
• #3200708: [PHP8] Error: User-supplied statement does not accept constructor arguments in PDO->prepare()
• #3204161: [D7] MySQL on PHP 8 now errors when committing or rolling back when there is no active transaction
• #2803921: A valid one-time login link may be leaked by the referer header to 3rd parties
• #3195939: hardening of destructor in Archive_Tar
• #2470619: Do not attempt field storage write when field content did not change
• #3051721: [D7] Remove dead code: progress.upload_callback, progress.error_callback
• #1079116: Inaccurate text: Images must be smaller than !max pixels.
• #3206428: [PHP 8] test failures in Form element validation
• #3206429: [PHP 8] test failures in Drupal error handlers
• #3206431: [PHP 8] test failures in User administration
• #3206438: [PHP 8] deprecated functions in OpenID
• #3007719: Trailing space was added in 7.60 update
• #3170525: Set samesite cookie attribute for PHP sessions
• #2400287: Remove all occurences of sourceMappingURL and sourceURL when JS files are aggregated
• #3008166: [D7] Unnecessary looping in Xss::filter when processing attributes.
• #3175678: Trying to access array offset on value of type bool in menu_get_active_breadcrumb() (line 2598)
• #2842762: Call to undefined function drupal_get_path_alias() in url()

PHP 8

• All done.. ?

todo

• #3102159: Add tests for Archive_Tar multiple security fixes for Archive_Tar recently and there's no test coverage in D7
• #229825: backport "$_COOKIE['has_js'] must die" patch to 7.x Fixed in D8/9. Recent testing confirms works.
• #106721: Optimize node access query building Important performance improvement. Used in acquia commons distribution with >600 installs.

Issues raised by @MustangGB:

• #2884171: The drupal_render() function could use a bit more protection May need to add logging for developers.
• #2994212: SqlContentEntityStorage::loadFromDedicatedTables() does use an unnecessary sort in the DB leading to a filesort Another field storage issue, marked as major with patch by Fabianx that still applies.
• #2323963: [D7] Put "List" "Roles" and "Permissions" as top-level items. Simple cosmetic fix. Fabianx does not agree with this simple fix and would like to see more work towards a better fix.

Issues which have had recent activity, and are RTBC. Possibly transfer to next maintenance release:
The issues above have not been added into the following sorting.

Simple Fixes: These may only take a few minutes each to review and commit.

• #674354: CSS selectors get overridden by narrower selector at style.css when using Seven Simple fix, moves inline with D8 having more specific selectors.
• #1944246: taxonomy_allowed_values should use entity_label Helpful for taxonomy translation. Fixed in D8. Two lines!
• #1973278: Error in image_styles of image.module on database update Simple fix, does it really need a test?
• #2039709: Forward slash in filter aliases in url alias overview doesn't work Simple fix. Major issue. Fixed in D8. Backport to D7. Re-queued tests
• #2768921: Backport server configuration code from SA-CORE-2016-003 to Drupal 7 patch that is a combined backport of SA-CORE-2016-003 and #2783079: DRUPAL-SA-CORE-2016-003 Completely broke IIS drupal deployments
• #2863786: D7 ThemeRegistry array_key_exists() micro-optimization Simple fix, micro-optimization. Fixed in D8. Fabianx likes this, see comment#18.
• #2959727: drupal_add_html_head_link() needs to allow multiple hreflang tags to point to one URL. Simple fix required for sites using translations.
• #3006123: D7 drupal_array_get_nested_value() array_key_exists() micro-optimization Simple fix, micro-optimization.
• #3015223: Never use aggregation in maintenance mode. Simple fix, Fabianx marked as RTBC, patch re-rolled. Draft change record exists https://www.drupal.org/node/3018664
• #3023545: [D7] Disable brotli compression of pre-compressed CSS and JS Adds a few lines in .htaccess prevents double compression. Fixed in D8.
• #3181653: Add aria-atomic to autocomplete Simple fix required for some accessibility checkers
• #3200198: [D7] password reset form prevent revealing email or username in use Simple fix, backport of issue fixed in D9 with tags "Security & Privacy improvements"
• #920840: Broken images displayed and PHP notices when file/image field values are missing
• #2218647: [D7] Undefined property: stdClass::$nid in node_tokens()

Important Fixes:

• #460408: Cannot administer menu item/link if it points to an unpublished node Important fix, tagged as major. Patch by David Rothstein RTBC. Fixed in D8.
• #980144: Issues with "required, multiple" fields in forms Important fix. Fixed in D8
• #1007746: Reordering fails with more than 100 items in a menu Important fix. Patch has tests and is fixed in D8/D9.
• #1705618: Double click prevention on form submission Important to prevent double submission of forms, creating duplicate nodes, etc. Must clear browser cache to take effect.
• #1899126: [D7] Add wrappers to fix permission checks Required for POSIX filesystem. Fixed in D8? @orlitzky: "I'm just going to keep updating the patch for drupal-7.x for the rest of my life." "I'll keep posting patches until I don't have to any more."
• #1951408: Core Update manager doesn't correctly handle "status" UPDATE_NOT_CHECKED Includes D7 core patch in comment #16. Required for update_advanced module that is used by 2,700 sites and "Triaged D8 major" but no action for D8/D9.
• #1978176: Build menu_tree without loading so many objects @joseph.olstad: "... the performance improvement is huge! .. After several years I see no credible reports of an issue with this patch"
• #2431283: Cron CSRF vulnerability Security hardening fix. Fixed in D8. Fabianx comment in #31, just before last patch.
• #2522002: Do not strip www. from cookie domain by default because that leaks session cookies to subdomains Simple patch, security improvement. Sessions table may need to be emptied. Backport. Fixed in D8. Change record for D8 https://www.drupal.org/node/2523826
• #2637680: Submit buttons for GET forms in search/views are not W3C valid due to empty 'name' attribute Fixed in D8. Has tests that fail as expected.
• #2752783: [D7] file_unmanaged_move() should issue rename() where possible instead of copy() & unlink() Important fix. Mcdruid urging commit. @joseph.olstad: "D8 has this already. It is a good idea."
• #2789723: [D7 backport] drupal_mkdir does not set permissions to directories it created recursively Important fix, includes tests. Backport of D8 fix.
• #2802159: [D7] SQL layer: $match_operator is vulnerable to injection attack Important fix. Backport of D8 fix.
• #2970929: [D7] Support X-Forwarded-* HTTP headers alternates Important backport for reverse proxies and load balance.
• #3008170: [D7] Deleting node type leaves orphan nodes Important, has tests. Backport from D8

Unsorted Fixes:

• #111702: Set fixed "from:" and add "Reply-to:" to comply with DMARC
• #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls Needs work and needs CR
• #1328696: Problem with _drupal_wrap_mail_line and attachment files Attachment of docx file or files with long names results in email that is not correct. Fixed in D8, backport for D7 has patch.
• #1835754: Add last 'changed' property to user entity Nice to have. Adds last modified to user table. Has been added to D8/9
• #2128055: Files should be uploaded to per year/month directories by default
• #3002101: Ajax upload with validation throws PHP notice on PHP 7
• #3017522: Make SSL options configurable in drupal_http_request() Verifies SSL certificates in OpenSSL connections (Critical)
• #3176634: [D7] node_access filters out accessible nodes when node is left joined Issue identified as major. Fixed in D8 with D9 fix pending. Backport to D7 patch from 2016-March-9