Fix several vulnerabilities (#13927)

* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event

src/Module/Attach.php

@@ -65,11 +65,7 @@ class Attach extends BaseModule
 		// error in Chrome for filenames with commas in them
 		header('Content-type: ' . $item['filetype']);
 		header('Content-length: ' . $item['filesize']);
-		if (isset($_GET['attachment']) && $_GET['attachment'] === '0') {
-			header('Content-disposition: filename="' . $item['filename'] . '"');
-		} else {
-			header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
-		}
+		header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
 
 		echo $data;
 		System::exit();