Fix several vulnerabilities (#13927)

* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event

src/Module/Calendar/Event/API.php

@@ -142,7 +142,8 @@ class API extends BaseModule
 	{
 		$eventId = !empty($request['event_id']) ? intval($request['event_id']) : 0;
 		$uid     = (int)$this->session->getLocalUserId();
-		$cid     = !empty($request['cid']) ? intval($request['cid']) : 0;
+		// No overwriting event.cid on edit
+		$cid     = !empty($request['cid']) && !$eventId ? intval($request['cid']) : 0;
 
 		$strStartDateTime  = Strings::escapeHtml($request['start_text'] ?? '');
 		$strFinishDateTime = Strings::escapeHtml($request['finish_text'] ?? '');