From 972f579a9841aaac917eb0d498fab22114167b1c Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 4 Jan 2022 16:11:09 +0900
Subject: [PATCH 01/16] Merge pull request #5532 from
 kenjis/update-CHANGELOG-416

docs: add Security advisory in CHANGELOG.md
---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c2ea5e536da0..4d333c153241 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.5...v4.1.6)
 
+**SECURITY**
+
+* *Deserialization of Untrusted Data* found in the ``old()`` function was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x) for more information.
+
 **Breaking Changes**
 
 * fix: Incorrect type `BaseBuilder::$tableName` by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/5378

From e1f40c5e8de2481243fb3d623eb2882dacc72eab Mon Sep 17 00:00:00 2001
From: MGatner <mgatner@icloud.com>
Date: Tue, 4 Jan 2022 10:17:50 -0500
Subject: [PATCH 02/16] Merge pull request #5537 from
 kenjis/fix-ug-changelog-416

docs: minor addition to changelogs/v4.1.6.rst and upgrade_416.rst
---
 user_guide_src/source/changelogs/v4.1.6.rst        | 2 ++
 user_guide_src/source/installation/upgrade_416.rst | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/user_guide_src/source/changelogs/v4.1.6.rst b/user_guide_src/source/changelogs/v4.1.6.rst
index 5068d92a99f3..6993add513f9 100644
--- a/user_guide_src/source/changelogs/v4.1.6.rst
+++ b/user_guide_src/source/changelogs/v4.1.6.rst
@@ -65,3 +65,5 @@ And the following methods are deprecated:
 
 Bugs Fixed
 **********
+
+See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.
diff --git a/user_guide_src/source/installation/upgrade_416.rst b/user_guide_src/source/installation/upgrade_416.rst
index 9fd585821740..f81dacf8ec79 100644
--- a/user_guide_src/source/installation/upgrade_416.rst
+++ b/user_guide_src/source/installation/upgrade_416.rst
@@ -17,6 +17,8 @@ Due to a bug fix, the Validation now might change the validation results when yo
 Breaking Enhancements
 *********************
 
+none.
+
 Project Files
 *************
 

From 803442218be44f7daf61b22ec438e1e95cf0d4e9 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 5 Jan 2022 10:25:02 +0900
Subject: [PATCH 03/16] Merge pull request #5527 from paulbalandan/kint-4.1.1

Update modified Kint files in `ThirdParty`
---
 .../ThirdParty/Kint/Renderer/CliRenderer.php  | 29 +++++++++++++++++--
 .../ThirdParty/Kint/Renderer/RichRenderer.php | 15 ++++++++--
 2 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/system/ThirdParty/Kint/Renderer/CliRenderer.php b/system/ThirdParty/Kint/Renderer/CliRenderer.php
index f86671ff1cf3..12b18d036b62 100644
--- a/system/ThirdParty/Kint/Renderer/CliRenderer.php
+++ b/system/ThirdParty/Kint/Renderer/CliRenderer.php
@@ -59,6 +59,15 @@ class CliRenderer extends TextRenderer
      */
     public static $min_terminal_width = 40;
 
+    /**
+     * Which stream to check for VT100 support on windows.
+     *
+     * null uses STDOUT if it's defined
+     *
+     * @var null|resource
+     */
+    public static $windows_stream = null;
+
     protected static $terminal_width = null;
 
     protected $windows_output = false;
@@ -69,8 +78,22 @@ public function __construct()
     {
         parent::__construct();
 
-        if (!self::$force_utf8) {
-            $this->windows_output = KINT_WIN;
+        if (!self::$force_utf8 && KINT_WIN) {
+            if (!KINT_PHP72) {
+                $this->windows_output = true;
+            } else {
+                $stream = self::$windows_stream;
+
+                if (!$stream && \defined('STDOUT')) {
+                    $stream = STDOUT;
+                }
+
+                if (!$stream) {
+                    $this->windows_output = true;
+                } else {
+                    $this->windows_output = !\sapi_windows_vt100_support($stream);
+                }
+            }
         }
 
         if (!self::$terminal_width) {
@@ -153,7 +176,7 @@ protected function utf8ToWindows($string)
     {
         return \str_replace(
             ['┌', '═', '┐', '│', '└', '─', '┘'],
-            ["\xda", "\xdc", "\xbf", "\xb3", "\xc0", "\xc4", "\xd9"],
+            [' ', '=', ' ', '|', ' ', '-', ' '],
             $string
         );
     }
diff --git a/system/ThirdParty/Kint/Renderer/RichRenderer.php b/system/ThirdParty/Kint/Renderer/RichRenderer.php
index 94b7f98ab71f..46a8827ded56 100644
--- a/system/ThirdParty/Kint/Renderer/RichRenderer.php
+++ b/system/ThirdParty/Kint/Renderer/RichRenderer.php
@@ -133,6 +133,9 @@ class RichRenderer extends Renderer
 
     public static $always_pre_render = false;
 
+    public static $js_nonce = null;
+    public static $css_nonce = null;
+
     protected $plugin_objs = [];
     protected $expand = false;
     protected $force_pre_render = false;
@@ -389,10 +392,18 @@ public function preRender()
 
                 switch ($type) {
                     case 'script':
-                        $output .= '<script class="kint-rich-script">'.$contents.'</script>';
+                        $output .= '<script class="kint-rich-script"';
+                        if (null !== self::$js_nonce) {
+                            $output .= ' nonce="'.\htmlspecialchars(self::$js_nonce).'"';
+                        }
+                        $output .= '>'.$contents.'</script>';
                         break;
                     case 'style':
-                        $output .= '<style class="kint-rich-style">'.$contents.'</style>';
+                        $output .= '<style class="kint-rich-style"';
+                        if (null !== self::$css_nonce) {
+                            $output .= ' nonce="'.\htmlspecialchars(self::$css_nonce).'"';
+                        }
+                        $output .= '>'.$contents.'</style>';
                         break;
                     default:
                         $output .= $contents;

From 12d998ab87e0230f91892c9da7957c13895ded0d Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Wed, 5 Jan 2022 10:25:59 +0900
Subject: [PATCH 04/16] Merge pull request #5536 from
 kenjis/fix-BaseConnection-connectDuration

fix: BaseConnection::getConnectDuration() number_format(): Passing null to parameter
---
 system/Database/BaseConnection.php           |  4 ++--
 tests/system/Database/BaseConnectionTest.php | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/system/Database/BaseConnection.php b/system/Database/BaseConnection.php
index 5f678e5114d7..53e5dad1b351 100644
--- a/system/Database/BaseConnection.php
+++ b/system/Database/BaseConnection.php
@@ -258,14 +258,14 @@ abstract class BaseConnection implements ConnectionInterface
      *
      * @var float
      */
-    protected $connectTime;
+    protected $connectTime = 0.0;
 
     /**
      * How long it took to establish connection.
      *
      * @var float
      */
-    protected $connectDuration;
+    protected $connectDuration = 0.0;
 
     /**
      * If true, no queries will actually be
diff --git a/tests/system/Database/BaseConnectionTest.php b/tests/system/Database/BaseConnectionTest.php
index 7d2352a0e9b2..9bb8ddee1499 100644
--- a/tests/system/Database/BaseConnectionTest.php
+++ b/tests/system/Database/BaseConnectionTest.php
@@ -123,6 +123,16 @@ public function testStoresConnectionTimings()
         $this->assertGreaterThan(0.0, $db->getConnectDuration());
     }
 
+    /**
+     * @see https://github.com/codeigniter4/CodeIgniter4/issues/5535
+     */
+    public function testStoresConnectionTimingsNotConnected()
+    {
+        $db = new MockConnection($this->options);
+
+        $this->assertSame('0.000000', $db->getConnectDuration());
+    }
+
     public function testMagicIssetTrue()
     {
         $db = new MockConnection($this->options);

From 3561b9cc749ee8eea97ae1470b4bb6695c4c3f47 Mon Sep 17 00:00:00 2001
From: Lonnie Ezell <lonnieje@gmail.com>
Date: Tue, 4 Jan 2022 21:51:21 -0600
Subject: [PATCH 05/16] Merge pull request #5544 from
 iRedds/fix/debug-toolbar-selectors

Fix: Debug toolbar selectors
---
 system/Debug/Toolbar/Views/toolbar.js | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/system/Debug/Toolbar/Views/toolbar.js b/system/Debug/Toolbar/Views/toolbar.js
index b6883d4b9f3b..1e0869e1050e 100644
--- a/system/Debug/Toolbar/Views/toolbar.js
+++ b/system/Debug/Toolbar/Views/toolbar.js
@@ -24,10 +24,10 @@ var ciDebugBar = {
 		document.getElementById('debug-icon-link').addEventListener('click', ciDebugBar.toggleToolbar, true);
 
 		// Allows to highlight the row of the current history request
-		var btn = document.querySelector('button[data-time="' + localStorage.getItem('debugbar-time') + '"]');
+		var btn = this.toolbar.querySelector('button[data-time="' + localStorage.getItem('debugbar-time') + '"]');
 		ciDebugBar.addClass(btn.parentNode.parentNode, 'current');
 
-		historyLoad = document.getElementsByClassName('ci-history-load');
+		historyLoad = this.toolbar.getElementsByClassName('ci-history-load');
 
 		for (var i = 0; i < historyLoad.length; i++)
 		{
@@ -52,7 +52,7 @@ var ciDebugBar = {
 	},
 
 	createListeners : function () {
-		var buttons = [].slice.call(document.querySelectorAll('#debug-bar .ci-label a'));
+		var buttons = [].slice.call(this.toolbar.querySelectorAll('.ci-label a'));
 
 		for (var i = 0; i < buttons.length; i++)
 		{
@@ -60,7 +60,7 @@ var ciDebugBar = {
 		}
 
 		// Hook up generic toggle via data attributes `data-toggle="foo"`
-		var links = document.querySelectorAll('[data-toggle]');
+		var links = this.toolbar.querySelectorAll('[data-toggle]');
 		for (var i = 0; i < links.length; i++)
 		{
 			links[i].addEventListener('click', ciDebugBar.toggleRows, true);
@@ -84,7 +84,7 @@ var ciDebugBar = {
 		var state = tab.style.display;
 
 		// Hide all tabs
-		var tabs = document.querySelectorAll('#debug-bar .tab');
+		var tabs = this.toolbar.querySelectorAll('.tab');
 
 		for (var i = 0; i < tabs.length; i++)
 		{
@@ -92,7 +92,7 @@ var ciDebugBar = {
 		}
 
 		// Mark all labels as inactive
-		var labels = document.querySelectorAll('#debug-bar .ci-label');
+		var labels = this.toolbar.querySelectorAll('.ci-label');
 
 		for (var i = 0; i < labels.length; i++)
 		{
@@ -502,7 +502,7 @@ var ciDebugBar = {
 	},
 
 	setToolbarPosition: function () {
-		var btnPosition = document.getElementById('toolbar-position');
+		var btnPosition = this.toolbar.querySelector('#toolbar-position');
 
 		if (ciDebugBar.readCookie('debug-bar-position') === 'top')
 		{
@@ -531,7 +531,7 @@ var ciDebugBar = {
 	},
 
 	setToolbarTheme: function () {
-		var btnTheme    = document.getElementById('toolbar-theme');
+		var btnTheme    = this.toolbar.querySelector('#toolbar-theme');
 		var isDarkMode  = window.matchMedia("(prefers-color-scheme: dark)").matches;
 		var isLightMode = window.matchMedia("(prefers-color-scheme: light)").matches;
 
@@ -627,7 +627,7 @@ var ciDebugBar = {
 
 	routerLink: function () {
 		var row, _location;
-		var rowGet = document.querySelectorAll('#debug-bar td[data-debugbar-route="GET"]');
+		var rowGet = this.toolbar.querySelectorAll('td[data-debugbar-route="GET"]');
 		var patt   = /\((?:[^)(]+|\((?:[^)(]+|\([^)(]*\))*\))*\)/;
 
 		for (var i = 0; i < rowGet.length; i++)
@@ -653,7 +653,7 @@ var ciDebugBar = {
 			}
 		}
 
-		rowGet = document.querySelectorAll('#debug-bar td[data-debugbar-route="GET"] form');
+		rowGet = this.toolbar.querySelectorAll('td[data-debugbar-route="GET"] form');
 		for (var i = 0; i < rowGet.length; i++)
 		{
 			row = rowGet[i];

From 187c864a9d37e2bef75e47fe7507dd1da8514603 Mon Sep 17 00:00:00 2001
From: Lonnie Ezell <lonnieje@gmail.com>
Date: Tue, 4 Jan 2022 21:55:19 -0600
Subject: [PATCH 06/16] Merge pull request #5542 from
 kenjis/fix-docs-upgrade-instruction

docs: improve upgrade instructions
---
 .../source/installation/installing_composer.rst      |  9 ++++++---
 .../source/installation/installing_manual.rst        |  8 ++++----
 user_guide_src/source/installation/upgrade_416.rst   | 12 +++++++++---
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/user_guide_src/source/installation/installing_composer.rst b/user_guide_src/source/installation/installing_composer.rst
index ac1be8c5e12c..7133e2cb80bf 100644
--- a/user_guide_src/source/installation/installing_composer.rst
+++ b/user_guide_src/source/installation/installing_composer.rst
@@ -50,6 +50,8 @@ A sample such installation command, using the default project-root "appstarter":
 
 After installation you should follow the steps in the "Upgrading" section.
 
+.. _app-starter-upgrading:
+
 Upgrading
 ---------
 
@@ -68,7 +70,7 @@ If ``--prefer-source`` doesn't automatically update to pull latest framework sou
 If you used the ``--no-dev`` option when you created the project, it
 would be appropriate to do so here too, i.e., ``composer update --no-dev``.
 
-Read the upgrade instructions, and check designated  ``app/Config`` folders for affected changes.
+Read the :doc:`upgrade instructions <upgrading>`, and check Breaking Changes and Enhancements.
 
 Pros
 ----
@@ -142,6 +144,8 @@ Copy the ``env``, ``phpunit.xml.dist`` and ``spark`` files, from
 You will have to adjust the system path to refer to the vendor one, e.g., ``ROOTPATH . '/vendor/codeigniter4/framework/system'``,
 - the ``$systemDirectory`` variable in **app/Config/Paths.php**
 
+.. _adding-codeigniter4-upgrading:
+
 Upgrading
 ---------
 
@@ -149,8 +153,7 @@ Whenever there is a new release, then from the command line in your project root
 
     > composer update --prefer-source
 
-Read the upgrade instructions, and check designated
-``app/Config`` folders for affected changes.
+Read the :doc:`upgrade instructions <upgrading>`, and check Breaking Changes and Enhancements.
 
 Pros
 ----
diff --git a/user_guide_src/source/installation/installing_manual.rst b/user_guide_src/source/installation/installing_manual.rst
index daf7ea26c55f..ebd231cdb2cf 100644
--- a/user_guide_src/source/installation/installing_manual.rst
+++ b/user_guide_src/source/installation/installing_manual.rst
@@ -27,14 +27,14 @@ Setting Up
 
 None
 
+.. _installing-manual-upgrading:
+
 Upgrading
 ---------
 
-Download a new copy of the framework, and then follow the upgrade
-instructions in the release notice or changelog to merge that with your project.
+Download a new copy of the framework, and then replace the ``system`` folder.
 
-Typically, you replace the ``system`` folder, and check designated
-``app/Config`` folders for affected changes.
+Read the :doc:`upgrade instructions <upgrading>`, and check Breaking Changes and Enhancements.
 
 Pros
 ----
diff --git a/user_guide_src/source/installation/upgrade_416.rst b/user_guide_src/source/installation/upgrade_416.rst
index f81dacf8ec79..36f0d1039b46 100644
--- a/user_guide_src/source/installation/upgrade_416.rst
+++ b/user_guide_src/source/installation/upgrade_416.rst
@@ -2,6 +2,12 @@
 Upgrading from 4.1.5 to 4.1.6
 #############################
 
+Please refer to the upgrade instructions corresponding to your installation method.
+
+- :ref:`Composer Installation App Starter Upgrading <app-starter-upgrading>`
+- :ref:`Composer Installation Adding CodeIgniter4 to an Existing Project Upgrading <adding-codeigniter4-upgrading>`
+- :ref:`Manual Installation Upgrading <installing-manual-upgrading>`
+
 .. contents::
     :local:
     :depth: 2
@@ -22,8 +28,8 @@ none.
 Project Files
 *************
 
-Numerous files in the project space (root, app, public, writable) received updates. Due to
-these files being outside of the system scope they will not be changed without your intervention.
+Numerous files in the **project space** (root, app, public, writable) received updates. Due to
+these files being outside of the **system** scope they will not be changed without your intervention.
 There are some third-party CodeIgniter modules available to assist with merging changes to
 the project space: `Explore on Packagist <https://packagist.org/explore/?query=codeigniter4%20updates>`_.
 
@@ -45,7 +51,7 @@ and it is recommended that you merge the updated versions with your application:
 All Changes
 ===========
 
-This is a list of all files in the project space that received changes;
+This is a list of all files in the **project space** that received changes;
 many will be simple comments or formatting that have no effect on the runtime:
 
 * ``app/Config/Filters.php``

From 841e8408811d37fec127ccc8cf3943e3fef20c4c Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Thu, 6 Jan 2022 16:34:23 +0900
Subject: [PATCH 07/16] Merge pull request #5546 from
 kenjis/fix-docs-upgrade_416.rst

docs: add upgrade instruction in upgrade_416.rst
---
 user_guide_src/source/installation/upgrade_416.rst | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/user_guide_src/source/installation/upgrade_416.rst b/user_guide_src/source/installation/upgrade_416.rst
index 36f0d1039b46..ce88d59582b7 100644
--- a/user_guide_src/source/installation/upgrade_416.rst
+++ b/user_guide_src/source/installation/upgrade_416.rst
@@ -20,6 +20,17 @@ Validation result changes
 
 Due to a bug fix, the Validation now might change the validation results when you validate an array item (see :ref:`Changelog <changelog-v416-validation-changes>`). So check the validation results for all the code that validates the array. Validating multiple fields like ``contacts.*.name`` is not affected.
 
+If you have the following form::
+
+    <input type='text' name='invoice_rule[1]'>
+    <input type='text' name='invoice_rule[2]'>
+
+And you have the validation rule like this::
+
+    'invoice_rule' =>  ['rules' => 'numeric', 'errors' => ['numeric' => 'Not numeric']]
+
+Change the rule key to ``invoice_rule.*`` and the validation will work.
+
 Breaking Enhancements
 *********************
 

From c058b18070c08ccb25fe9a64e220474c3d1df084 Mon Sep 17 00:00:00 2001
From: "John Paul E. Balandan, CPA"
 <51850998+paulbalandan@users.noreply.github.com>
Date: Fri, 7 Jan 2022 15:35:24 +0800
Subject: [PATCH 08/16] Merge pull request #5554 from iRedds/fix/toolbar

Fix: Toolbar. ciDebugBar.showTab() context.
---
 system/Debug/Toolbar/Views/toolbar.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/Debug/Toolbar/Views/toolbar.js b/system/Debug/Toolbar/Views/toolbar.js
index 1e0869e1050e..3bd05d5e9592 100644
--- a/system/Debug/Toolbar/Views/toolbar.js
+++ b/system/Debug/Toolbar/Views/toolbar.js
@@ -84,7 +84,7 @@ var ciDebugBar = {
 		var state = tab.style.display;
 
 		// Hide all tabs
-		var tabs = this.toolbar.querySelectorAll('.tab');
+		var tabs = document.querySelectorAll('#debug-bar .tab');
 
 		for (var i = 0; i < tabs.length; i++)
 		{
@@ -92,7 +92,7 @@ var ciDebugBar = {
 		}
 
 		// Mark all labels as inactive
-		var labels = this.toolbar.querySelectorAll('.ci-label');
+		var labels = document.querySelectorAll('#debug-bar .ci-label');
 
 		for (var i = 0; i < labels.length; i++)
 		{

From 27235a1267608517086ec61ac33ad56c908563d8 Mon Sep 17 00:00:00 2001
From: Lonnie Ezell <lonnieje@gmail.com>
Date: Fri, 7 Jan 2022 16:12:05 -0600
Subject: [PATCH 09/16] Merge pull request #5553 from
 paulbalandan/backtrace-collector

Refactor Database Collector display
---
 system/Debug/Toolbar/Collectors/Database.php  | 55 ++++++++++++-----
 system/Debug/Toolbar/Views/_database.tpl      |  5 +-
 .../Debug/Toolbar/Collectors/DatabaseTest.php | 61 +++++++++++++++++++
 3 files changed, 103 insertions(+), 18 deletions(-)
 create mode 100644 tests/system/Debug/Toolbar/Collectors/DatabaseTest.php

diff --git a/system/Debug/Toolbar/Collectors/Database.php b/system/Debug/Toolbar/Collectors/Database.php
index 520ddc7c5dc6..26cb02ddfeb0 100644
--- a/system/Debug/Toolbar/Collectors/Database.php
+++ b/system/Debug/Toolbar/Collectors/Database.php
@@ -85,11 +85,19 @@ public static function collect(Query $query)
         if (count(static::$queries) < $max) {
             $queryString = $query->getQuery();
 
+            $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS);
+
+            if (! is_cli()) {
+                // when called in the browser, the first two trace arrays
+                // are from the DB event trigger, which are unneeded
+                $backtrace = array_slice($backtrace, 2);
+            }
+
             static::$queries[] = [
                 'query'     => $query,
                 'string'    => $queryString,
                 'duplicate' => in_array($queryString, array_column(static::$queries, 'string', null), true),
-                'trace'     => debug_backtrace(),
+                'trace'     => $backtrace,
             ];
         }
     }
@@ -134,23 +142,39 @@ public function display(): array
         $data['queries'] = array_map(static function (array $query) {
             $isDuplicate = $query['duplicate'] === true;
 
-            // Find the first line that doesn't include `system` in the backtrace
-            $line = [];
+            $firstNonSystemLine = '';
+
+            foreach ($query['trace'] as $index => &$line) {
+                // simplify file and line
+                if (isset($line['file'])) {
+                    $line['file'] = clean_path($line['file']) . ':' . $line['line'];
+                    unset($line['line']);
+                } else {
+                    $line['file'] = '[internal function]';
+                }
+
+                // find the first trace line that does not originate from `system/`
+                if ($firstNonSystemLine === '' && strpos($line['file'], 'SYSTEMPATH') === false) {
+                    $firstNonSystemLine = $line['file'];
+                }
 
-            foreach ($query['trace'] as &$traceLine) {
-                // Clean up the file paths
-                $traceLine['file'] = str_ireplace(APPPATH, 'APPPATH/', $traceLine['file']);
-                $traceLine['file'] = str_ireplace(SYSTEMPATH, 'SYSTEMPATH/', $traceLine['file']);
-                if (defined('VENDORPATH')) {
-                    // VENDORPATH is not defined unless `vendor/autoload.php` exists
-                    $traceLine['file'] = str_ireplace(VENDORPATH, 'VENDORPATH/', $traceLine['file']);
+                // simplify function call
+                if (isset($line['class'])) {
+                    $line['function'] = $line['class'] . $line['type'] . $line['function'];
+                    unset($line['class'], $line['type']);
                 }
-                $traceLine['file'] = str_ireplace(ROOTPATH, 'ROOTPATH/', $traceLine['file']);
 
-                if (strpos($traceLine['file'], 'SYSTEMPATH') !== false) {
-                    continue;
+                if (strrpos($line['function'], '{closure}') === false) {
+                    $line['function'] .= '()';
                 }
-                $line = empty($line) ? $traceLine : $line;
+
+                $line['function'] = str_repeat(chr(0xC2) . chr(0xA0), 8) . $line['function'];
+
+                // add index numbering padded with nonbreaking space
+                $indexPadded = str_pad(sprintf('%d', $index + 1), 3, ' ', STR_PAD_LEFT);
+                $indexPadded = preg_replace('/\s/', chr(0xC2) . chr(0xA0), $indexPadded);
+
+                $line['index'] = $indexPadded . str_repeat(chr(0xC2) . chr(0xA0), 4);
             }
 
             return [
@@ -159,8 +183,7 @@ public function display(): array
                 'duration'   => ((float) $query['query']->getDuration(5) * 1000) . ' ms',
                 'sql'        => $query['query']->debugToolbarDisplay(),
                 'trace'      => $query['trace'],
-                'trace-file' => str_replace(ROOTPATH, '/', $line['file'] ?? ''),
-                'trace-line' => $line['line'] ?? '',
+                'trace-file' => $firstNonSystemLine,
                 'qid'        => md5($query['query'] . microtime()),
             ];
         }, static::$queries);
diff --git a/system/Debug/Toolbar/Views/_database.tpl b/system/Debug/Toolbar/Views/_database.tpl
index a2f5bd9808f1..1bd9b8a88405 100644
--- a/system/Debug/Toolbar/Views/_database.tpl
+++ b/system/Debug/Toolbar/Views/_database.tpl
@@ -10,13 +10,14 @@
         <tr class="{class}" title="{hover}" data-toggle="{qid}-trace">
             <td class="narrow">{duration}</td>
             <td>{! sql !}</td>
-            <td style="text-align: right">{trace-file}:<strong>{trace-line}</strong></td>
+            <td style="text-align: right"><strong>{trace-file}</strong></td>
         </tr>
         <tr class="muted" id="{qid}-trace" style="display:none">
             <td></td>
             <td colspan="2">
             {trace}
-                {file}:<strong>{line}</strong><br/>
+                {index}<strong>{file}</strong><br/>
+                {function}<br/><br/>
             {/trace}
             </td>
         </tr>
diff --git a/tests/system/Debug/Toolbar/Collectors/DatabaseTest.php b/tests/system/Debug/Toolbar/Collectors/DatabaseTest.php
new file mode 100644
index 000000000000..3b139d9f2d7e
--- /dev/null
+++ b/tests/system/Debug/Toolbar/Collectors/DatabaseTest.php
@@ -0,0 +1,61 @@
+<?php
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\Debug\Toolbar\Collectors;
+
+use CodeIgniter\Database\Query;
+use CodeIgniter\Test\CIUnitTestCase;
+use PHPUnit\Framework\MockObject\MockObject;
+
+/**
+ * @internal
+ */
+final class DatabaseTest extends CIUnitTestCase
+{
+    public function testDisplay(): void
+    {
+        /** @var MockObject&Query $query */
+        $query = $this->getMockBuilder(Query::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        // set mock returns
+        $query->method('getQuery')->willReturn('SHOW TABLES;');
+        $query->method('debugToolbarDisplay')->willReturn('<strong>SHOW</strong> TABLES;');
+        $query->method('getDuration')->with(5)->willReturn('1.23456');
+
+        Database::collect($query); // <== $query will be called here
+        $collector = new Database();
+
+        $queries = $collector->display()['queries'];
+
+        $this->assertSame('1234.56 ms', $queries[0]['duration']);
+        $this->assertSame('<strong>SHOW</strong> TABLES;', $queries[0]['sql']);
+        $this->assertSame(clean_path(__FILE__) . ':35', $queries[0]['trace-file']);
+
+        foreach ($queries[0]['trace'] as $i => $trace) {
+            // since we added the index numbering
+            $this->assertArrayHasKey('index', $trace);
+            $this->assertSame(
+                sprintf('%s', $i + 1),
+                preg_replace(sprintf('/%s/', chr(0xC2) . chr(0xA0)), '', $trace['index'])
+            );
+
+            // since we merged file & line together
+            $this->assertArrayNotHasKey('line', $trace);
+            $this->assertArrayHasKey('file', $trace);
+
+            // since we dropped object & args in the backtrace for performance
+            // but args MAY STILL BE present in internal calls
+            $this->assertArrayNotHasKey('object', $trace);
+        }
+    }
+}

From 505b3961d7192793e1b0d2536ad8c2beff926059 Mon Sep 17 00:00:00 2001
From: Tim Zandbergen <TimZ99@users.noreply.github.com>
Date: Tue, 4 Jan 2022 22:30:58 +0100
Subject: [PATCH 10/16] Replaced deprecated `FILTER_SANITIZE_STRING`

Replaced with FILTER_SANITIZE_FULL_SPECIAL_CHARS. Equivalent to calling htmlspecialchars() with ENT_QUOTES set.
---
 user_guide_src/source/incoming/incomingrequest.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/user_guide_src/source/incoming/incomingrequest.rst b/user_guide_src/source/incoming/incomingrequest.rst
index fe6c26909aed..46ebd35b4bf9 100644
--- a/user_guide_src/source/incoming/incomingrequest.rst
+++ b/user_guide_src/source/incoming/incomingrequest.rst
@@ -399,7 +399,7 @@ The methods provided by the parent classes that are available are:
         The second optional parameter lets you run the data through the PHP's
         filters. Pass in the desired filter type as the second parameter::
 
-            $request->getVar('some_data', FILTER_SANITIZE_STRING);
+            $request->getVar('some_data', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
         To return an array of all POST items call without any parameters.
 
@@ -407,7 +407,7 @@ The methods provided by the parent classes that are available are:
         first parameter to null while setting the second parameter to the filter
         you want to use::
 
-            $request->getVar(null, FILTER_SANITIZE_STRING);
+            $request->getVar(null, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
             // returns all POST items with string sanitation
 
         To return an array of multiple POST parameters, pass all the required keys as an array::
@@ -417,7 +417,7 @@ The methods provided by the parent classes that are available are:
         Same rule applied here, to retrieve the parameters with filtering, set the second parameter to
         the filter type to apply::
 
-            $request->getVar(['field1', 'field2'], FILTER_SANITIZE_STRING);
+            $request->getVar(['field1', 'field2'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
     .. php:method:: getGet([$index = null[, $filter = null[, $flags = null]]])
 
@@ -489,7 +489,7 @@ The methods provided by the parent classes that are available are:
         This method is identical to ``getPost()`` and ``getGet()``, only it fetches cookie data::
 
             $request->getCookie('some_cookie');
-            $request->getCookie('some_cookie', FILTER_SANITIZE_STRING); // with filter
+            $request->getCookie('some_cookie', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // with filter
 
         To return an array of multiple cookie values, pass all the required keys as an array::
 

From 490fece27b78cf46361239a328cbb324a3e45935 Mon Sep 17 00:00:00 2001
From: Tim Zandbergen <TimZ99@users.noreply.github.com>
Date: Tue, 4 Jan 2022 23:07:50 +0100
Subject: [PATCH 11/16] Replaced deprecated `FILTER_SANITIZE_STRING`

Replaced with FILTER_SANITIZE_FULL_SPECIAL_CHARS. Equivalent to calling htmlspecialchars() with ENT_QUOTES set.
---
 system/Helpers/cookie_helper.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/Helpers/cookie_helper.php b/system/Helpers/cookie_helper.php
index e47a86356dbf..51a746c5395b 100755
--- a/system/Helpers/cookie_helper.php
+++ b/system/Helpers/cookie_helper.php
@@ -65,7 +65,7 @@ function get_cookie($index, bool $xssClean = false)
     {
         $prefix  = isset($_COOKIE[$index]) ? '' : config(App::class)->cookiePrefix;
         $request = Services::request();
-        $filter  = $xssClean ? FILTER_SANITIZE_STRING : FILTER_DEFAULT;
+        $filter  = $xssClean ? FILTER_SANITIZE_FULL_SPECIAL_CHARS : FILTER_DEFAULT;
 
         return $request->getCookie($prefix . $index, $filter);
     }

From b4b24e0957ac05bc15d920ca44637a6bb01d17d2 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Sat, 8 Jan 2022 10:23:42 +0900
Subject: [PATCH 12/16] docs: add changelogs, upgrade_417, and warning in
 cookie_helper.rst

---
 user_guide_src/source/changelogs/index.rst    |  1 +
 user_guide_src/source/changelogs/v4.1.7.rst   | 35 +++++++++++++
 .../source/helpers/cookie_helper.rst          |  2 +
 .../source/installation/upgrade_417.rst       | 51 +++++++++++++++++++
 .../source/installation/upgrading.rst         |  1 +
 5 files changed, 90 insertions(+)
 create mode 100644 user_guide_src/source/changelogs/v4.1.7.rst
 create mode 100644 user_guide_src/source/installation/upgrade_417.rst

diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst
index 8a54083777d3..74e782cb3508 100644
--- a/user_guide_src/source/changelogs/index.rst
+++ b/user_guide_src/source/changelogs/index.rst
@@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.1.7
     v4.1.6
     v4.1.5
     v4.1.4
diff --git a/user_guide_src/source/changelogs/v4.1.7.rst b/user_guide_src/source/changelogs/v4.1.7.rst
new file mode 100644
index 000000000000..33d2efffe850
--- /dev/null
+++ b/user_guide_src/source/changelogs/v4.1.7.rst
@@ -0,0 +1,35 @@
+Version 4.1.7
+#############
+
+Release Date: Not Released
+
+**4.1.7 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+BREAKING
+********
+
+- Because ``FILTER_SANITIZE_STRING`` is deprecated since PHP 8.1, ``get_cookie()`` that uses it when ``$xssClean`` is true changed the output. Now it uses ``FILTER_SANITIZE_FULL_SPECIAL_CHARS``. Note that using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended.
+
+Enhancements
+************
+
+none.
+
+Changes
+*******
+
+none.
+
+Deprecations
+************
+
+none.
+
+Bugs Fixed
+**********
+
+See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.
diff --git a/user_guide_src/source/helpers/cookie_helper.rst b/user_guide_src/source/helpers/cookie_helper.rst
index 597adaa66c9a..a5e2946e5869 100755
--- a/user_guide_src/source/helpers/cookie_helper.rst
+++ b/user_guide_src/source/helpers/cookie_helper.rst
@@ -53,6 +53,8 @@ The following functions are available:
     the ``$cookiePrefix`` that you might've set in your
     **app/Config/App.php** file.
 
+.. warning:: Using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended.
+
 .. php:function:: delete_cookie($name[, $domain = ''[, $path = '/'[, $prefix = '']]])
 
     :param string $name: Cookie name
diff --git a/user_guide_src/source/installation/upgrade_417.rst b/user_guide_src/source/installation/upgrade_417.rst
new file mode 100644
index 000000000000..4b94375f65ce
--- /dev/null
+++ b/user_guide_src/source/installation/upgrade_417.rst
@@ -0,0 +1,51 @@
+#############################
+Upgrading from 4.1.6 to 4.1.7
+#############################
+
+Please refer to the upgrade instructions corresponding to your installation method.
+
+- :ref:`Composer Installation App Starter Upgrading <app-starter-upgrading>`
+- :ref:`Composer Installation Adding CodeIgniter4 to an Existing Project Upgrading <adding-codeigniter4-upgrading>`
+- :ref:`Manual Installation Upgrading <installing-manual-upgrading>`
+
+.. contents::
+    :local:
+    :depth: 2
+
+Breaking Changes
+****************
+
+- ``get_cookie()`` when ``$xssClean`` is true changed the output. Now it uses ``FILTER_SANITIZE_FULL_SPECIAL_CHARS``, not ``FILTER_SANITIZE_STRING``. Make sure the change is acceptable or not. Note that using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended.
+
+Breaking Enhancements
+*********************
+
+none.
+
+Project Files
+*************
+
+Numerous files in the **project space** (root, app, public, writable) received updates. Due to
+these files being outside of the **system** scope they will not be changed without your intervention.
+There are some third-party CodeIgniter modules available to assist with merging changes to
+the project space: `Explore on Packagist <https://packagist.org/explore/?query=codeigniter4%20updates>`_.
+
+.. note:: Except in very rare cases for bug fixes, no changes made to files for the project space
+    will break your application. All changes noted here are optional until the next major version,
+    and any mandatory changes will be covered in the sections above.
+
+Content Changes
+===============
+
+The following files received significant changes (including deprecations or visual adjustments)
+and it is recommended that you merge the updated versions with your application:
+
+*
+
+All Changes
+===========
+
+This is a list of all files in the **project space** that received changes;
+many will be simple comments or formatting that have no effect on the runtime:
+
+*
diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst
index 771392d8f81a..d142117ba7b9 100644
--- a/user_guide_src/source/installation/upgrading.rst
+++ b/user_guide_src/source/installation/upgrading.rst
@@ -8,6 +8,7 @@ upgrading from.
 .. toctree::
     :titlesonly:
 
+    Upgrading from 4.1.6 to 4.1.7 <upgrade_417>
     Upgrading from 4.1.5 to 4.1.6 <upgrade_416>
     Upgrading from 4.1.4 to 4.1.5 <upgrade_415>
     Upgrading from 4.1.3 to 4.1.4 <upgrade_414>

From 72255dab23cc1f99c0fc8160a327fc11aff839df Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Sat, 8 Jan 2022 11:47:28 +0900
Subject: [PATCH 13/16] docs: generate CHANGELOG.md

---
 CHANGELOG.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4d333c153241..9da2f2e61492 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## [v4.1.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.7) (2022-01-XX)
+
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.6...v4.1.7)
+
+**Breaking Changes**
+
+* fix: replace deprecated FILTER_SANITIZE_STRING by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/5555
+
+**Fixed Bugs**
+
+* fix: BaseConnection::getConnectDuration() number_format(): Passing null to parameter by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/5536
+* Fix: Debug toolbar selectors by @iRedds in https://github.com/codeigniter4/CodeIgniter4/pull/5544
+* Fix: Toolbar. ciDebugBar.showTab() context. by @iRedds in https://github.com/codeigniter4/CodeIgniter4/pull/5554
+* Refactor Database Collector display by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/5553
+
 ## [v4.1.6](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.6) (2022-01-03)
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.5...v4.1.6)

From b6c21c35e3e37eaf1cca2e4ecef0d617053572d8 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Sat, 8 Jan 2022 11:54:29 +0900
Subject: [PATCH 14/16] chore: update verion to 4.1.7

---
 system/CodeIgniter.php        | 2 +-
 user_guide_src/source/conf.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
index bcce77f1f853..ed4e500466f6 100644
--- a/system/CodeIgniter.php
+++ b/system/CodeIgniter.php
@@ -45,7 +45,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.1.6';
+    public const CI_VERSION = '4.1.7';
 
     private const MIN_PHP_VERSION = '7.3';
 
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
index 0d5246a4aaaa..60a34e9c178b 100644
--- a/user_guide_src/source/conf.py
+++ b/user_guide_src/source/conf.py
@@ -24,7 +24,7 @@
 version = '4.1'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.1.6'
+release = '4.1.7'
 
 # -- General configuration ---------------------------------------------------
 

From ff7150e23230bef464f59aafebaf506246e52297 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Sat, 8 Jan 2022 11:58:38 +0900
Subject: [PATCH 15/16] docs: remove not changed sections in upgrade_417

---
 .../source/installation/upgrade_417.rst       | 33 -------------------
 1 file changed, 33 deletions(-)

diff --git a/user_guide_src/source/installation/upgrade_417.rst b/user_guide_src/source/installation/upgrade_417.rst
index 4b94375f65ce..fd5c3cf80543 100644
--- a/user_guide_src/source/installation/upgrade_417.rst
+++ b/user_guide_src/source/installation/upgrade_417.rst
@@ -16,36 +16,3 @@ Breaking Changes
 ****************
 
 - ``get_cookie()`` when ``$xssClean`` is true changed the output. Now it uses ``FILTER_SANITIZE_FULL_SPECIAL_CHARS``, not ``FILTER_SANITIZE_STRING``. Make sure the change is acceptable or not. Note that using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended.
-
-Breaking Enhancements
-*********************
-
-none.
-
-Project Files
-*************
-
-Numerous files in the **project space** (root, app, public, writable) received updates. Due to
-these files being outside of the **system** scope they will not be changed without your intervention.
-There are some third-party CodeIgniter modules available to assist with merging changes to
-the project space: `Explore on Packagist <https://packagist.org/explore/?query=codeigniter4%20updates>`_.
-
-.. note:: Except in very rare cases for bug fixes, no changes made to files for the project space
-    will break your application. All changes noted here are optional until the next major version,
-    and any mandatory changes will be covered in the sections above.
-
-Content Changes
-===============
-
-The following files received significant changes (including deprecations or visual adjustments)
-and it is recommended that you merge the updated versions with your application:
-
-*
-
-All Changes
-===========
-
-This is a list of all files in the **project space** that received changes;
-many will be simple comments or formatting that have no effect on the runtime:
-
-*

From 3e088a9e00fc271d1bb46d1ee454e92a7b91a2d1 Mon Sep 17 00:00:00 2001
From: MGatner <mgatner@icloud.com>
Date: Mon, 10 Jan 2022 01:30:43 +0000
Subject: [PATCH 16/16] Apply release dates

---
 CHANGELOG.md                                | 2 +-
 user_guide_src/source/changelogs/v4.1.7.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9da2f2e61492..23c77082242e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## [v4.1.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.7) (2022-01-XX)
+## [v4.1.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.7) (2022-01-09)
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.6...v4.1.7)
 
diff --git a/user_guide_src/source/changelogs/v4.1.7.rst b/user_guide_src/source/changelogs/v4.1.7.rst
index 33d2efffe850..5c9d07357858 100644
--- a/user_guide_src/source/changelogs/v4.1.7.rst
+++ b/user_guide_src/source/changelogs/v4.1.7.rst
@@ -1,7 +1,7 @@
 Version 4.1.7
 #############
 
-Release Date: Not Released
+Release Date: January 9, 2022
 
 **4.1.7 release of CodeIgniter4**