[SECURITY] Prevent XSS due to wrong PATH_INFO evaluation

As already started in #88304 (but only for NormalizedParams)
and later reverted in #89312 (because of cgi-bin problems),
PATH_INFO is no longer considered as a preferable SCRIPT_NAME
alternative. All known server configurations set SCRIPT_NAME
these days to a proper value when cgi.fix_pathinfo is set.

The fallback to PATH_INFO has been introduced with
the initial revision of TYPO3 and isn't needed at all nowadays,
it's actually wrong, as a REQUEST_URI like /index.php/foo/bar
would incorrectly be interpreted as $scriptName == "/foo/bar",
which let's all calculations on $scriptName fail and
even leads to XSS where values derived from $scriptName are
printed without being escaped.

Also any ORIG_SCRIPT_NAME evaluation is dropped, as this variable
contains the SCRIPT_NAME that was set by the webserver configuration
before PHP applied cgi.fix_pathinfo. Using ORIG_SCRIPT_NAME
effectively meant bypassing PHP's pathinfo fix. It usually contains
the cgi-wra...