[js] remove leftover dead code in loadxhtml form.callback support was removed in changeset 68cde7431c2c, but some signs of it remained.

[web] Avoid using an empty dict as default parameter of 'CubicWebRequestBase'. Also update the related docstring of the __init__ method.

[schema] fix composite deletion handling Do not delete component entities if the composite is not deleted in the same transaction. Deletion semantics are thus: if the composite is deleted, the components are deleted. Closes #3463112.

[schema] add composite handling helpers on EntitySchema (related to #3463112) These will help write predicates, hooks, etc.

[server] Handle unique constraint violations under recent sqlite The error message changed from "columns foo, bar, baz are not unique" to "UNIQUE constraint failed: table.foo, table.bar, table.baz". Closes #3564510

[i18n] update de: 1065 translated messages, 1 fuzzy translation, 259 untranslated messages. en: 656 translated messages, 669 untranslated messages. es: 1325 translated messages. fr: 1314 translated messages, 11 untranslated messages.

[i18n] es.po updated

merge 3.18.x in 3.19 branch

3.18 is stable

[schema] explicitly declare 'add' permissions for a couple attributes

Added tag cubicweb-version-3.17.13, cubicweb-debian-version-3.17.13-1, cubicweb-centos-version-3.17.13-1 for changeset 09b4ebb9b0f1

Added tag cubicweb-version-3.18.3, cubicweb-debian-version-3.18.3-1, cubicweb-centos-version-3.18.3-1 for changeset afd21fea201a

Update translations

[pkg] prepare 3.18.3

merge 3.17.13

[ldapfeed] fix encode error during initial user import Closes #3539196.

[web/data] Ignore disabled widgets in cw.utils.formContents() (closes #3544492) 17.12.1 Disabled controls : http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.12.1 When set, the disabled attribute has the following effects on an element: * Disabled controls do not receive focus. * Disabled controls are skipped in tabbing navigation. * Disabled controls cannot be successful. The third one is the important one. 17.13.2 Successful controls : http://www.w3.org/TR/REC-html40/interact/forms.html#successful-controls A successful control is "valid" for submission. Every successful control has its control name paired with its current value as part of the submitted form data set. Bottom line, disable widgets should not be part of the names and values lists returned by formContents().

[etwist] Fix an empty request content after a Twisted processing (closes #3546795). The content of a POST request could be empty when the Twisted server is used.

[web/data] remove images that aren't used anywhere

[web/data] Add missing images from jquery-ui 1.10.3 Closes #3175933

[web/navigation] use add_onload instead of inline javascript href This way our javascript code isn't thrown out by the html cleaner e.g. when using the rql rest directive and a table view. To make things simpler, we now always use ajax URLs for navigation, even when we would previously have used regular links. Closes #3501626

[web/data] fix treeview regression (closes #3526466) Changeset 68cde7431c2c "[js] remove 3.9 bw compat (where apparently unused)" removed the use of form.callback from loadxhtml, which treeview relied on. Update to add a callback on the loadxhtml return value instead.

backout 8f3e963501e2, which is not ready yet

[pkg] also bump it there

[pkg] prepare 3.17.13

[navigation] use add_onload instead of inline javascript href This way our javascript code isn't thrown out by the html cleaner e.g. when using the rql rest directive and a table view. Closes #3501626

[uilib] allow canvas tags in the html cleaner Used by the iprogress cube. Closes #3524254.

[ajax] use a custom tag to handle dynamically loaded js Using <pre class="script"> makes it trivial for a malicious user to inject arbitrary javascript into a html or rest text element (because it looks innocent to the html sanitizer). Using a custom tag we can be sure that it actually comes from our code and not from untrusted user data. IE ignores custom tags, though, so we put it in its own namespace. https://extranet.logilab.fr/1530578