(originally merged into a PR branch)
* Make URL schemes dialog more ergonomic
* add name to contributors list
* Title Case
* Tweak build instructions so Cursor picks them up
* Use a warning icon for the URL scheme pop-up
* Default to cancelling
mpv looks for ytdl on the path, which includes the CWD on Windows.
A malicious shared deck could place an executable called yt-dlp.exe in the
media folder, which mpv would then helpfully invoke the first time
a YouTube link was encountered.
A big thank you to Michael Lappas for the report.
Currently, if a user tries to close Preview which was opened inside Browse, the "parent" Browse window itself gets closed
Co-authored-by: beyondcompute <beyondcompute@users.noreply.github.com>
* Add a way to pass information from browser_will_search to browser_did_search without having it going to the backend
* Allow None for SearchContext.properties
* Adding myself in CONTRIBUTORS
* Rename SearchContext.properties to SearchContext.addon_metadata
* Revert "Adding myself in CONTRIBUTORS"
This reverts commit a993577279.
* Reapply "Adding myself in CONTRIBUTORS"
This reverts commit f3ce51c83d.
* Enable Cmd+W shortcut in "Edit Current" on Mac
* Enable Cmd+W shortcut in "Fields" editor on Mac
* Enable Cmd+W shortcut in "Cards" editing on Mac
* Enable Cmd+W shortcut in "Sync" tab modal on Mac
* Enable Cmd+W shortcut in "Custom Study" tab modal on Mac
* Enable Cmd+W shortcut in Settings view on Mac
* Enable Cmd+W shortcut in Export dialogs on Mac
* Enable Cmd+W shortcut for getText dialog on Mac
* Enable Cmd+W shortcut in "Change Deck" on Mac
* Enable Cmd+W shortcut in Reposition dialog on Mac
* Enable Cmd+W shortcut in "Grade Now" dialog on Mac
* Enable Cmd+W shortcut in "Reset…" dialog on Mac
* Remove duplicate camelCase variant of add_close_shortcut (dae)
- The camelCase variant will remain accessible with a warning.
- The removed setattr line is legacy cruft, and wasn't doing anything.
* NF: replace `disabled` by `enabled`
This allows to remove the negations and, in my opinion, make the code
easier to understand and edit.
* Cloze button get disabled outside of cloze field
More specifically, if the user focus in a field that is not a cloze
field, the button are still there but appear as disabled. The shortcut
instead of adding the cloze context shows an alert explaining why this
can't be done.
While this message is already displayed when the user tries to add a
note with cloze in non-cloze field, I suspect it will save time to
stop the user as soon as possible from making mistake. This should
make very clear what is authorized and what is not.
It'll also be a reminder of whether the current field is a cloze or
not.
In order to do this, I added a back-end method (that I expect we may
reuse in ankidroid) to get the index of the fields used in cloze. This
set is sent to the note editor, which propagates it where needed.
In mathjax, the cloze symbol is removed when the selected field is not
a cloze field.
* Revert "Sanitize field content in editor"
This reverts commit 1c156905f8.
* Use CSP to block inline JS content in editor
This blocks inline scripts, scripts in the media folder, and
handlers like onclick in the editor. This is nicer than the previous
solution - it doesn't make any permanent changes, and leaves other
content like SVGs alone. Thanks to Nil Admirari for the suggestion.
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* Avoid set_kind() race condition in legacy stats webview
Replacing the web view is a hacky workaround, but likely a reasonable compromise for a legacy view that we do not want to maintain a separate Qt form for.
* Slightly refactor AnkiWebView subclass creation and tweak inline comment
+ Extend create_ankiwebview_subclass() with the ability to set any
init time AnkiWebView argument
+ Introduce some nice-to-haves in terms of static type checking support
and IDE autocompletion
+ Mark helper function as private to discourage add-on use
* Drop `AnkiWebView.set_kind` completely
There no longer is an Anki-internal use case for changing the web view kind after initializing a web view, and add-ons almost certainly do not have any use for it either.
Given that setting the kind after web view construction can lead to known race conditions with `domDone` signals, we should remove this method to discourage uses like this in both Anki code and add-on consumers.
There currenty only seems to be one add-on calling `set_kind()`, so this seem like a justifiable API change.
---------
Co-authored-by: llama <100429699+iamllama@users.noreply.github.com>
* add AnkiWebView subclasses for stats, empty cards and find dupes ui
* update ui files to use subclassed webviews instead
* remove superfluous calls to AnkiWebView.set_kind
* revert impl
* set page background colour after setPage in AnkiWebView.set_kind
* Sanitize field content in editor
The editor already strips script tags from fields, but was allowing
through Javascript in things like onclick handlers. We block this now,
as the editor context has access to internal APIs that we don't want to
expose to untrusted third-party code.
* Require an auth token for API access
We were previously inspecting the referrer, but that is spoofable,
and doesn't guard against other processes on the machine.
To accomplish this, we use a request interceptor to automatically
add an auth token to webviews with the right context. Some related
changes were required:
- We avoid storing _page, which was leading to leaks & warning on exit
- At webview creation (or set_kind() invocation), we assign either
an authenticated or unauthenticated web profile.
- Some of our screens initialize the AnkiWebView when calling, e.g.,
aqt.forms.stats.Ui_Dialog(). They then immediately call .set_kind().
This reveals a race condition in our DOM handling code: the webview
initialization creates an empty page with the injected script, which
causes a domDone signal to be sent back. This signal arrives after
we've created another page with .set_kind(), causing our code to think
the DOM is ready when it's not. Then when we try to inject the dynamic
styling, we get an error, as the DOM is not ready yet. In the absence
of better solutions, I've added a hack to set_kind() to deal with this
for now.
* Provide AnkiWebPage init defaults for existing add-on callers
* Inject bridge script when profile set-up skipped
Some add-ons fully override AnkiWebPage.__init__ and thus depend on _setupBridge injecting the JS bridge script.
With this change we account for these cases, while giving add-ons the opportunity to look for solutions that do not require overriding AnkiWebPage.__init__ completely.
* Add some missed pages/endpoints (thanks to iamllama)
* Avoid sending API key for remote resources
Thanks to Abdo for the report
---------
Co-authored-by: Aristotelis P <201596065+aps-amboss@users.noreply.github.com>
* Add checkbox
* Working in editor
* Toolbar webview
* Other webviews
* Even more webviews
* Move to profile settings
* Add to contributors [skip ci]
* Fix checks
* Fix checks
* Better?
* Remove unneded
* Remove checkbox and a few other things
* How the hell did that happen
* Undo FTL changes (dae)
* Remove superfluous config entry (dae)
* Add comment about profile keys (dae)
* fix: correct typo and adjust indentation in docstring
Fixed a small typo in the webview_did_inject_style_into_page docstring and adjusted indentation for consistency.
* Update CONTRIBUTORS
* Show "and others" at the end of the contributor list in the about dialog
* Make about addendum translatable
* Fix CONTRIBUTORS
* Fix CONTRIBUTORS
* Update ftl/qt/about.ftl (dae)
* Remove unused import
* Nit-pick on code comment
* Enable View Page/Config buttons only when 1 add-on selected
* Enable Cmd+W shortcut (on Mac only) to close Add-ons dialog
* Feat/grade now
* pass ci
* fix from_queue
* Refactor card answering to support from_queue flag
- Add `from_queue` field to `CardAnswer` struct and proto message
- Modify `answer_card_inner` to handle queue updates based on `from_queue`
- Remove `grade_card` method and consolidate card answering logic
- Update related test cases to set `from_queue` flag
* fix current_changes() called when no op set
* Optimize queue updates for batch card processing
- Refactor `grade_now` to collect processed card IDs first
- Add new `update_queues_for_processed_cards` method for efficient batch queue updates
- Improve queue management by removing entries and updating counts in a single pass
- Remove individual queue update method in favor of batch processing
* pass ci
* keep the same style
* remove ineffective code
* remove unused imports
* Add myself to CONTRIBUTORS
* Set draggable="false" attribute on .replay-button
Because currently if a user drags slightly (even unintentionally) upon clicking a play button, play does not happen
* Prevent dragging hint links
Because if a user moves cursor a little after `mousedown`, action (expanding the hint) does not occur. Which might cause issues from accessibility standpoint
* feat: add title to rename dialog
* fix: localize hardcoded message
* feat: add title to create deck dialog
* refactor: formatting fixes
* add name to about screen
adding my name to contributors for the third time
* Raise exception from closures in run_in_background using run_on_main
* Add author to CONTRIBUTORS file
* Undo taskman changes
* Raise exceptions from _on_closures_pending using singleShot
* refactor: accept window title in some dialog methods
* feat: match sync initial title with state
Sync iniates in the `Checked` state, so the initial title is changed to match it instead of using the generic `Anki` title
* feat: use `Sync` as the tile of login screen
Maybe a new string should be created for that.
* feat: Use `Sync` as title of the sync conflict dialog
Maybe a new string should be used for that
* refactor: fix formatting
* fix: alias in CONTRIBUTORS
Even in 2025, the script isn't smart enough to handle different casing or use just the GitHub ID
The uninstall script runs `xdg-mime uninstall` which takes >5 seconds to process.
There is no indication to the user though that the script is actually running. Adding an `echo` info message solves that.
Additionally we could `rm -rfv` to make it more verbose (the install script is verbose too). But the main thing that needs time to process is the `xdg-mime uninstall` part of the script.
The reason why I didn't make `rm -rf` verbose, too, is that the output text is greater than the buffer that the terminal provides – meaning you cannot view it from the beginning. And since `rm` is very fast even on old systems with slow hardware I didn't really see a reason to make it verbose here.
* Add function to restore the default name of a flag
* Call function to restore default flag name if flag renamed to empty string
* Update _load_flags to use the default_flag_names dict
* Add name to contributors file
* Add trailing comma to pass tests
* Update to follow python style guide
* Update about.py
* Revert "Update _load_flags to use the default_flag_names dict"
This reverts commit caa8fea94b.
* Use require_refresh() instead of storing default flag names
