- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions
1. prevent layout breakage when using an authenticator which doesn't allow changing passwords
2. show explanatory messages when OTP or password changing is not available
3. allow app (API) passwords when using any auth module
This change introduces derived classes for ComboButton, DropDownButton
and Select that make sure that buttons do not remain focused after their
menus are closed. This allows using hotkeys after closing them.
Since making use of keypress in addition to keydown, hotkeys did not
work in certain scenarios, including clicking on the feed tree expanders
or empty spaces of the toolbar.
This issue is caused by dijit.Tree and dijit.Toolbar implementing the
_KeyNavMixin, which explicitly stops propagation of keypress events.
This change contains two main fixes plus a smaller hotfix:
1. It overrides _onContainerKeydown and _onContainerKeypress for
fox.FeedTree (which inherits from dijit.Tree).
2. It adds fox.Toolbar, which overrides _onContainerKeydown,
_onContainerKeypress and focus. This fixes hotkeys being swallowed
and the first focusable child receiving focus when clicking on an
empty space of the toolbar.
3. It adds the same handling of keydown and keypress to the prefs hotkey
handler as is done in the main hotkey handler.
Andrew Dolgov