* Revert "Sanitize field content in editor"
This reverts commit 1c156905f8.
* Use CSP to block inline JS content in editor
This blocks inline scripts, scripts in the media folder, and
handlers like onclick in the editor. This is nicer than the previous
solution - it doesn't make any permanent changes, and leaves other
content like SVGs alone. Thanks to Nil Admirari for the suggestion.
(cherry picked from commit ddb8573e8d)
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* Avoid set_kind() race condition in legacy stats webview
Replacing the web view is a hacky workaround, but likely a reasonable compromise for a legacy view that we do not want to maintain a separate Qt form for.
* Slightly refactor AnkiWebView subclass creation and tweak inline comment
+ Extend create_ankiwebview_subclass() with the ability to set any
init time AnkiWebView argument
+ Introduce some nice-to-haves in terms of static type checking support
and IDE autocompletion
+ Mark helper function as private to discourage add-on use
* Drop `AnkiWebView.set_kind` completely
There no longer is an Anki-internal use case for changing the web view kind after initializing a web view, and add-ons almost certainly do not have any use for it either.
Given that setting the kind after web view construction can lead to known race conditions with `domDone` signals, we should remove this method to discourage uses like this in both Anki code and add-on consumers.
There currenty only seems to be one add-on calling `set_kind()`, so this seem like a justifiable API change.
---------
Co-authored-by: llama <100429699+iamllama@users.noreply.github.com>
(cherry picked from commit 5b0f371791)
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* revert impl
* set page background colour after setPage in AnkiWebView.set_kind
(cherry picked from commit a74fd74631)
Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script.
With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely.
(cherry picked from commit 2a97b135ee)
We were previously inspecting the referrer, but that is spoofable,
and doesn't guard against other processes on the machine.
To accomplish this, we use a request interceptor to automatically
add an auth token to webviews with the right context. Some related
changes were required:
- We avoid storing _page, which was leading to leaks & warning on exit
- At webview creation (or set_kind() invocation), we assign either
an authenticated or unauthenticated web profile.
- Some of our screens initialize the AnkiWebView when calling, e.g.,
aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind().
This reveals a race condition in our DOM handling code: the webview
initialization creates an empty page with the injected script, which
causes a domDone signal to be sent back. This signal arrives after
we've created another page with .set_kind(), causing our code to think
the DOM is ready when it's not. Then when we try to inject the dynamic
styling, we get an error, as the DOM is not ready yet. In the absence
of better solutions, I've added a hack to set_kind() to deal with this
for now.
(cherry picked from commit 24bca15fd3)
* fix discard changes randomly being a noop on certain linux systems
* use QApplication.setActiveWindow instead
* revert current impl
* wait for the next event loop iter before calling activeWindow
* allow adding images via drag/drop when adding io
* support editing io notes as well
Co-authored-by: Abdo <abdo@abdnh.net>
---------
Co-authored-by: Abdo <abdo@abdnh.net>
This reverts commit 04228de666.
Anki 25.01 Beta 1 revealed a bunch of regressions with the latest
Qt, and zero reports of improvements from it, so we'll be better off
holding off on it for now, and perhaps reporting the deadkeys issue
to Qt once we've got a proper reproduction process.
* Prevent stale frames being drawn.
At key points where external changes enter the webview, stale images might get rendered. This ensures that a frame showing current state is always shown.
* Only stage single redraw
* Remove potentially superfluous calls to `self.update()`
* Remove potentially superfluous calls to `self.update()`.
I lost this one during some git troubles.
* Revert unrelated change
The function is supposed to take a boolean telling it whether or not the loading succeeded, which it doesn't as is. However, this is unrelated and works either way so I also reverted it again.
* chore: code cleanup
* cleanup: Remove redundant check for presence of callback
A callback will be used either way for this call, so it can be simplified. The check happens inside the handler.
* Add comment explaining why this change is necessary, referencing the relevant PR.
* Clarify comment to answer the why, not the what.
One can see what is being done, why is probably more important.
* expose get_image_occlusion_fields
* fix create copy for io
* revert current impl
* passthru original note id when creating copy
* add IOCloningMode
* fix create copy for io
* add support for comments to templates
* add tests
* add support for comments to CardLayout
* fix lints
* revert current impl
* extract parsing logic from legacy_text_token
* add support for comments to templates
* add tests
* refactor take_until_handlebar_start_or
* remove redundant rest
* Require full subclause match when locating next token (dae)
* Rework legacy template handling (dae)
The handlebar parser is now an instance method of a TemplateMode
enum, allowing us to avoid duplicate code for the legacy code path,
and the necessity to box up the iterator.
This does result in a change in behaviour: when the user has specified
the alternate syntax, the standard syntax will no longer be accepted.
* Remove stale comment (dae)
* Qt 6.8.1
Bumps minimum glibc to 2.35, and minimum macOS to 12
* Drop generation of Qt5 packaged build
Closes#3615
* Include qt6 requirements in aqt wheel; drop extra deps
* Fix aqt wheels growing over time
* NF: Modify CONTRIBUTORS
Just so that I stop getting the warning
* NF: Create `deckOptionsReady`
* NF: rename _close to require_close
The method will have to be used outside of this class, so can't be private
* NF: simplify slightly some code
* NF: remove bridge command from deck options
* Remove unused import
* Remove superfluous comment with a typo
* stop audio playback on browser close
* revert fix
* add caller-aware versions of play_file and stop_and_clear_queue
* stop editor's audio autoplay on close
* remove superfluous stop_and_clear_queue from addcards
