Added 'no-store' to the cache-control header to prevent Google Chrome from serving the 302 redirect from disk cache

Fixes edge-case https://github.com/simplesamlphp/simplesamlphp/issues/741 where application has one of the known LoggingHandlers' name as a defined class

The last version of psalm breaks with array_key_exists(), so we use isset() instead.

Doing so allows us to mock the class. Otherwise, the _autoload_module.php is always called first, and when it tries to register the functions from that class, it automatically autoloads it, making it impossible to mock it afterwards.

Don't bail out if the MDQ cache is broken or the query fails, because
later other metadata sources might provide the metadata for the entity.

This can be used by templates to load resources in different ways, either optimized for the developer or for a production environment.

Working toward some of the requested tasks in
https://github.com/simplesamlphp/simplesamlphp/wiki/List-of-tasks

This allows us to use this new filter to translate strings from a given array of translations, where every translation is indexed by its ISO 639 code. A new configuration option ('language' -> 'priorities') is available too to control the alternative languages that can be used instead of a given language, when the latter is not found. The filter returns null when no suitable translation is found, so that it can be combined with "default()" to set a default translation for a given string.

This reverts commit 0917046c.

This reverts commit 1218f38a.

When we are invoked from an outside application, SimpleSAMLphp cannot use 'baseurlpath' and in that case it tries to guess the current URL. The port was always added, even if the default port was used, leading to possible issues when comparing URLs that should actually be equivalent.

This resolves #696.

This resolves #695.

In order to fix this, we first sanitize any URL given to SimpleSAML\Utils\HTTP::checkURLAllowed() so that we make sure we have a true URL without spurious characters. Secondly, we stop using an "onload" event in the body of the redirect page to trigger the redirect automatically. Instead, we use a "meta refresh" redirection.

This double remediation is because there were two issues here: one, we were printing user input inside a chunk of javascript code. The other exploits the fact that the header() function silently breaks when a null character is part of the URL given to a "Location" header. In that case, the HTTP 302 Redirection doesn't happen, and then the browser loads the HTML and goes through it, running the injected javascript.

This fixes #699.