From 449dbaebb7cf21fd5858467aa4329aa3932d96e6 Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Thu, 11 Jun 2026 23:28:03 +0200
Subject: [PATCH 1/9] fix: env() TypeError for non-string $_SERVER values +
 esc() fixes

- env(): guard non-string values (int argc, array argv in CLI) before
  strtolower() to prevent TypeError under declare(strict_types=1)

- esc(): propagate $encoding in recursive array calls (was ignored before),
  add early return after array processing, replace single static $escaper
  with static $escapers[] cache keyed by encoding

- tests: data-provider test for env() non-string types,
  three tests for esc() foreach reference leak
---
 system/Common.php                    | 23 ++++++----
 tests/system/CommonFunctionsTest.php | 66 ++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 8 deletions(-)

diff --git a/system/Common.php b/system/Common.php
index ea0c476423a0..f6a876e7a732 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -416,6 +416,12 @@ function env(string $key, $default = null)
             return $default;
         }
 
+        // Non-string values (e.g. $_SERVER['argc'] is int, $_SERVER['argv'] is array in CLI)
+        // must be returned as-is to avoid TypeError from strtolower().
+        if (! is_string($value)) {
+            return $value;
+        }
+
         // Handle any boolean values
         return match (strtolower($value)) {
             'true'  => true,
@@ -459,8 +465,11 @@ function esc($data, string $context = 'html', ?string $encoding = null)
 
         if (is_array($data)) {
             foreach ($data as &$value) {
-                $value = esc($value, $context);
+                $value = esc($value, $context, $encoding);
             }
+            unset($value); // Prevent reference leak: &$value would remain bound to last element
+
+            return $data;
         }
 
         if (is_string($data)) {
@@ -470,16 +479,14 @@ function esc($data, string $context = 'html', ?string $encoding = null)
 
             $method = $context === 'attr' ? 'escapeHtmlAttr' : 'escape' . ucfirst($context);
 
-            static $escaper;
-            if (! $escaper) {
-                $escaper = new Escaper($encoding);
-            }
+            static $escapers = [];
+            $cacheKey        = $encoding ?? 'default';
 
-            if ($encoding !== null && $escaper->getEncoding() !== $encoding) {
-                $escaper = new Escaper($encoding);
+            if (! isset($escapers[$cacheKey])) {
+                $escapers[$cacheKey] = new Escaper($encoding);
             }
 
-            $data = $escaper->{$method}($data);
+            $data = $escapers[$cacheKey]->{$method}($data);
         }
 
         return $data;
diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index 7f79b07381fd..eddf703afc34 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -131,6 +131,42 @@ public function testEnvBooleans(): void
         $this->assertNull(env('p4'));
     }
 
+    #[DataProvider('provideEnvReturnsCorrectTypesWithoutTypeError')]
+    public function testEnvReturnsCorrectTypesWithoutTypeError(string $source, mixed $value): void
+    {
+        $key = 'ci_test_var';
+
+        if ($source === 'SERVER' || $source === 'BOTH') {
+            service('superglobals')->setServer($key, $value);
+        }
+
+        if ($source === 'ENV' || $source === 'BOTH') {
+            $_ENV[$key] = $value;
+        }
+
+        $this->assertSame($value, env($key));
+    }
+
+    /**
+     * @return iterable<string, array{string, mixed}>
+     */
+    public static function provideEnvReturnsCorrectTypesWithoutTypeError(): iterable
+    {
+        yield 'integer from SERVER' => ['SERVER', 2];
+
+        yield 'array from SERVER' => ['SERVER', ['spark', 'migrate']];
+
+        yield 'int 1 is not true' => ['SERVER', 1];
+
+        yield 'int 0 is not false' => ['SERVER', 0];
+
+        yield 'float from SERVER' => ['SERVER', 3.14];
+
+        yield 'integer from ENV' => ['ENV', 42];
+
+        yield 'CLI simulation BOTH' => ['BOTH', 3];
+    }
+
     private function createRouteCollection(): RouteCollection
     {
         return new RouteCollection(Services::locator(), new Modules(), new Routing());
@@ -276,6 +312,36 @@ public function testEscapeRecursiveArrayRaw(): void
         $this->assertSame($data, esc($data, 'raw'));
     }
 
+    public function testEscapeArrayDoesNotLeakForeachReference(): void
+    {
+        $data = ['first' => '<b>bold</b>', 'last' => '<i>italic</i>'];
+
+        $escaped = esc($data);
+
+        $this->assertSame('&lt;b&gt;bold&lt;/b&gt;', $escaped['first']);
+        $this->assertSame('&lt;i&gt;italic&lt;/i&gt;', $escaped['last']);
+    }
+
+    public function testEscapeArrayLastElementNotMutatedAfterCall(): void
+    {
+        $data = ['x' => '<script>', 'y' => '<style>'];
+
+        $escaped = esc($data);
+
+        $this->assertSame('&lt;script&gt;', $escaped['x']);
+        $this->assertSame('&lt;style&gt;', $escaped['y']);
+        $this->assertCount(2, $escaped);
+    }
+
+    public function testEscapeArrayReferenceIsCleanedUpOnSingleElement(): void
+    {
+        $data = ['only' => '<div>'];
+
+        $escaped = esc($data);
+
+        $this->assertSame('&lt;div&gt;', $escaped['only']);
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     #[WithoutErrorHandler]

From 1d4ccf651591c0810632265e50e1f37324082f9e Mon Sep 17 00:00:00 2001
From: Bogdan Lambarski <matolq@gmail.com>
Date: Fri, 12 Jun 2026 18:28:49 +0200
Subject: [PATCH 2/9] Apply suggestion from @michalsn

Co-authored-by: Michal Sniatala <michal@sniatala.pl>
---
 system/Common.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/system/Common.php b/system/Common.php
index f6a876e7a732..59e84a58a788 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -467,7 +467,6 @@ function esc($data, string $context = 'html', ?string $encoding = null)
             foreach ($data as &$value) {
                 $value = esc($value, $context, $encoding);
             }
-            unset($value); // Prevent reference leak: &$value would remain bound to last element
 
             return $data;
         }

From 0a2807292989030ac34be8ac4808e614643a8b62 Mon Sep 17 00:00:00 2001
From: Bogdan Lambarski <matolq@gmail.com>
Date: Fri, 12 Jun 2026 18:30:34 +0200
Subject: [PATCH 3/9] Apply suggestion from @michalsn

Co-authored-by: Michal Sniatala <michal@sniatala.pl>
---
 tests/system/CommonFunctionsTest.php | 30 ----------------------------
 1 file changed, 30 deletions(-)

diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index eddf703afc34..3d643fb28a61 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -312,36 +312,6 @@ public function testEscapeRecursiveArrayRaw(): void
         $this->assertSame($data, esc($data, 'raw'));
     }
 
-    public function testEscapeArrayDoesNotLeakForeachReference(): void
-    {
-        $data = ['first' => '<b>bold</b>', 'last' => '<i>italic</i>'];
-
-        $escaped = esc($data);
-
-        $this->assertSame('&lt;b&gt;bold&lt;/b&gt;', $escaped['first']);
-        $this->assertSame('&lt;i&gt;italic&lt;/i&gt;', $escaped['last']);
-    }
-
-    public function testEscapeArrayLastElementNotMutatedAfterCall(): void
-    {
-        $data = ['x' => '<script>', 'y' => '<style>'];
-
-        $escaped = esc($data);
-
-        $this->assertSame('&lt;script&gt;', $escaped['x']);
-        $this->assertSame('&lt;style&gt;', $escaped['y']);
-        $this->assertCount(2, $escaped);
-    }
-
-    public function testEscapeArrayReferenceIsCleanedUpOnSingleElement(): void
-    {
-        $data = ['only' => '<div>'];
-
-        $escaped = esc($data);
-
-        $this->assertSame('&lt;div&gt;', $escaped['only']);
-    }
-
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     #[WithoutErrorHandler]

From fbaf26e648cfeebc3309014eb48b3bc7c60b163d Mon Sep 17 00:00:00 2001
From: Bogdan Lambarski <matolq@gmail.com>
Date: Fri, 12 Jun 2026 18:36:38 +0200
Subject: [PATCH 4/9] Update system/Common.php

Co-authored-by: Michal Sniatala <michal@sniatala.pl>
---
 system/Common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/Common.php b/system/Common.php
index 59e84a58a788..523248259323 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -479,7 +479,7 @@ function esc($data, string $context = 'html', ?string $encoding = null)
             $method = $context === 'attr' ? 'escapeHtmlAttr' : 'escape' . ucfirst($context);
 
             static $escapers = [];
-            $cacheKey        = $encoding ?? 'default';
+            $cacheKey = strtolower($encoding ?? 'utf-8');
 
             if (! isset($escapers[$cacheKey])) {
                 $escapers[$cacheKey] = new Escaper($encoding);

From 86b80bf805efaa6fcbc2f144e06d914a4324bc94 Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Fri, 12 Jun 2026 19:16:48 +0200
Subject: [PATCH 5/9] style: cs-fix

---
 system/Common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/Common.php b/system/Common.php
index 523248259323..f3f20a7a0db5 100644
--- a/system/Common.php
+++ b/system/Common.php
@@ -479,7 +479,7 @@ function esc($data, string $context = 'html', ?string $encoding = null)
             $method = $context === 'attr' ? 'escapeHtmlAttr' : 'escape' . ucfirst($context);
 
             static $escapers = [];
-            $cacheKey = strtolower($encoding ?? 'utf-8');
+            $cacheKey        = strtolower($encoding ?? 'utf-8');
 
             if (! isset($escapers[$cacheKey])) {
                 $escapers[$cacheKey] = new Escaper($encoding);

From 34edb13b7d5fccd4f9494f4f96516a73e20cf1fb Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Fri, 12 Jun 2026 21:47:10 +0200
Subject: [PATCH 6/9] test: add tests for esc() encoding changes and update
 changelog

---
 CHANGELOG.md                         |  1 +
 tests/system/CommonFunctionsTest.php | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0f8cbd59deb0..bafad86e93dd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
 
 ### Fixed Bugs
 
+* fix: env() TypeError for non-string values and esc() encoding propagation with reference leak prevention
 * fix: make Autoloader composer path injectable to fix parallel test race condition by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10082
 * fix: store SPL closures in `register()` so `unregister()` can remove them by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10097
 * fix: ensure output buffer is closed after use of `command()` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10099
diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index 3d643fb28a61..ee8d2786b186 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -42,6 +42,7 @@
 use Config\Services;
 use Config\Session as SessionConfig;
 use Exception;
+use InvalidArgumentException;
 use Kint;
 use PHPUnit\Framework\Attributes\BackupGlobals;
 use PHPUnit\Framework\Attributes\DataProvider;
@@ -312,6 +313,22 @@ public function testEscapeRecursiveArrayRaw(): void
         $this->assertSame($data, esc($data, 'raw'));
     }
 
+    public function testEscapeArrayPropagatesEncoding(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        // If encoding is not propagated, it would not instantiate the Escaper with the invalid encoding and wouldn't throw.
+        esc(['test'], 'html', 'invalid-encoding');
+    }
+
+    public function testEscapeWithChangingEncodingRecursive(): void
+    {
+        $data = ['<x'];
+
+        $this->assertSame(['&lt;x'], esc($data, 'html', 'utf-8'));
+        $this->assertSame(['&lt;x'], esc($data, 'html', 'iso-8859-1'));
+        $this->assertSame(['&lt;x'], esc($data, 'html', 'utf-8'));
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     #[WithoutErrorHandler]

From 0f106ec7d9c630b846150ed45e24fd382b106232 Mon Sep 17 00:00:00 2001
From: Bogdan Lambarski <matolq@gmail.com>
Date: Sat, 13 Jun 2026 20:18:20 +0200
Subject: [PATCH 7/9] Update tests/system/CommonFunctionsTest.php

Co-authored-by: Michal Sniatala <michal@sniatala.pl>
---
 tests/system/CommonFunctionsTest.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index ee8d2786b186..30f99d79a515 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -320,13 +320,13 @@ public function testEscapeArrayPropagatesEncoding(): void
         esc(['test'], 'html', 'invalid-encoding');
     }
 
-    public function testEscapeWithChangingEncodingRecursive(): void
+    public function testEscapeWithChangingArrayEncoding(): void
     {
-        $data = ['<x'];
+        $data = [hex2bin('E9')];
 
-        $this->assertSame(['&lt;x'], esc($data, 'html', 'utf-8'));
-        $this->assertSame(['&lt;x'], esc($data, 'html', 'iso-8859-1'));
-        $this->assertSame(['&lt;x'], esc($data, 'html', 'utf-8'));
+        $this->assertSame(['&#xE9;'], esc($data, 'attr', 'iso-8859-1'));
+        $this->assertSame(['&#x0439;'], esc($data, 'attr', 'windows-1251'));
+        $this->assertSame(['&#xE9;'], esc($data, 'attr', 'iso-8859-1'));
     }
 
     #[PreserveGlobalState(false)]

From fa2e7f553b0e7f866d29cc774a3d8a6dd4cb8f35 Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Sat, 13 Jun 2026 20:20:38 +0200
Subject: [PATCH 8/9] docs: move env/esc fix changelog entry to v4.7.4.rst

---
 CHANGELOG.md                                | 1 -
 user_guide_src/source/changelogs/v4.7.4.rst | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bafad86e93dd..0f8cbd59deb0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,7 +14,6 @@
 
 ### Fixed Bugs
 
-* fix: env() TypeError for non-string values and esc() encoding propagation with reference leak prevention
 * fix: make Autoloader composer path injectable to fix parallel test race condition by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10082
 * fix: store SPL closures in `register()` so `unregister()` can remove them by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10097
 * fix: ensure output buffer is closed after use of `command()` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10099
diff --git a/user_guide_src/source/changelogs/v4.7.4.rst b/user_guide_src/source/changelogs/v4.7.4.rst
index f9cc995ad22a..f3d70b45a605 100644
--- a/user_guide_src/source/changelogs/v4.7.4.rst
+++ b/user_guide_src/source/changelogs/v4.7.4.rst
@@ -31,6 +31,7 @@ Bugs Fixed
 **********
 
 - **API:** Fixed a bug in Transformers where the root request's ``fields`` and ``include`` query parameters leaked into nested transformers created inside ``include*()`` methods, causing incorrect field filtering, unexpected includes, or infinite recursion.
+- **Common:** Fixed a bug in ``env()`` where a ``TypeError`` could be thrown when non-string values were passed, and fixed ``esc()`` to propagate encoding correctly and prevent reference leaks.
 - **Database:** Fixed a bug where ``updateBatch()`` could be called after Query Builder ``where()`` conditions, even though it's not supported. In this situation, now the ``DatabaseException`` is thrown.
 - **HTTP:** Fixed a bug where the User Agent library reported Safari's WebKit version instead of the browser version from the ``Version`` token.
 - **Model:** Fixed a bug in ``Model::objectToRawArray()`` where the ``$recursive`` parameter was ignored.

From c7a85698724df6aca074b5553c1da4fc47e600df Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Sun, 14 Jun 2026 22:27:56 +0200
Subject: [PATCH 9/9] docs: split Common changelog entry

---
 user_guide_src/source/changelogs/v4.7.4.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/user_guide_src/source/changelogs/v4.7.4.rst b/user_guide_src/source/changelogs/v4.7.4.rst
index 12440bed96e3..60d9676a0812 100644
--- a/user_guide_src/source/changelogs/v4.7.4.rst
+++ b/user_guide_src/source/changelogs/v4.7.4.rst
@@ -31,7 +31,8 @@ Bugs Fixed
 **********
 
 - **API:** Fixed a bug in Transformers where the root request's ``fields`` and ``include`` query parameters leaked into nested transformers created inside ``include*()`` methods, causing incorrect field filtering, unexpected includes, or infinite recursion.
-- **Common:** Fixed a bug in ``env()`` where a ``TypeError`` could be thrown when non-string values were passed, and fixed ``esc()`` to propagate encoding correctly and prevent reference leaks.
+- **Common:** Fixed a bug in ``env()`` where a ``TypeError`` could be thrown when non-string values were passed.
+- **Common:** Fixed ``esc()`` to propagate encoding correctly and prevent reference leaks.
 - **Commands:** Fixed a bug where ``spark lang:find`` treated translation keys already provided by the framework or another namespace (such as ``Errors.*`` in ``system/Language``) as new, listing them under ``--show-new`` and writing untranslated placeholders into ``app/Language`` that overrode the existing translations.
 - **Database:** Fixed a bug where ``updateBatch()`` could be called after Query Builder ``where()`` conditions, even though it's not supported. In this situation, now the ``DatabaseException`` is thrown.
 - **HTTP:** Fixed a bug where the User Agent library reported Safari's WebKit version instead of the browser version from the ``Version`` token.