[Debug] Improve keyword highlighting and escaping of query strings.

[sfadschm]

Description
This PR adds a few more composite query keywords to the highlight list for the debug toolbar.
I also decided to sort the keywords alphabetically, as it was a pain checking which ones are missing. (This is debatable of course.)

• Deconstruct composite keywords.
• Sort kewords alphabetically.
• Modify regex pattern to ignore kewords within escaped string values ('').
• [WIP] Add HTML escaping.

Depends on #5196.

Checklist:

• Securely signed commits
• Conforms to style guide

Before:

After:

[sfadschm]

Added a first basic test.
However, I am wondering what this

CodeIgniter4/system/Database/Query.php

Lines 406 to 408 in 9c6a355

	if (empty($this->finalQueryString)) {
	$this->compileBinds(); // @codeCoverageIgnore
	}

is trying to achieve? compileBinds does:

CodeIgniter4/system/Database/Query.php

Line 276 in 9c6a355

$sql = $this->finalQueryString;

So if finalQueryString was empty before, it will also be empty after, or do I miss something?

I think, debugToolbarDisplay() should rather call getQuery() to ensure the final query string is set before highlighting.

[paulbalandan]

That part I added for the sake of prudence. Essentially that is useless because before calling getDebugToolbarDisplay() on Query we are sure that compileBinds was already called when the sql was executed. Added there only as guard.

I think with the proposed changes in #5127 we'll get a different approach on how to treat these things.

[sfadschm]

That part I added for the sake of prudence. Essentially that is useless because before calling getDebugToolbarDisplay() on Query we are sure that compileBinds was already called when the sql was executed. Added there only as guard.

I think with the proposed changes in #5127 we'll get a different approach on how to treat these things.

Alright, did not see that #5127 already handles this. I will leave it like it is then.
However, depending on which PR is merged first, this line can be removed from the test then:

$query->getQuery();

[kenjis]

Add HTML escaping, please.
#5196 (comment)

[sfadschm]

Added htmlspecialchars and a corresponding test. Will this do?
I chose to enable ENT_COMPAT, as we escape als values in the query string with single quotes.

[paulbalandan]

How about using esc?

[sfadschm]

How about using esc?

Seems to work in principle, too.
But also escapes the single quotes such that if we do esc then preg_replace, the regex doesn't work anymore to ignore keywords in values. If we do the other way around the highlighing gets escaped, too.

Possible workaround would be to change the regex from looking for ' to look for '.
Does not look to pretty to me, but I'm open for all ways 😄

[kenjis]

The escaping way looks good to me.

[sfadschm]

The escaping way looks good to me.

The esc() or htmlspecialchars() way?

[lonnieezell]

Use esc() please.

[sfadschm]

Should be working.

[MGatner]

This looks awesome! I haven't read all the code but seeing as the others have: I approve the screenshot. 🤣

Whoever merges please squash.