[web/data] Ignore disabled widgets in cw.utils.formContents() (closes #3544492) 17.12.1 Disabled controls : http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.12.1 When set, the disabled attribute has the following effects on an element: * Disabled controls do not receive focus. * Disabled controls are skipped in tabbing navigation. * Disabled controls cannot be successful. The third one is the important one. 17.13.2 Successful controls : http://www.w3.org/TR/REC-html40/interact/forms.html#successful-controls A successful control is "valid" for submission. Every successful control has its control name paired with its current value as part of the submitted form data set. Bottom line, disable widgets should not be part of the names and values lists returned by formContents().

[etwist] Fix an empty request content after a Twisted processing (closes #3546795). The content of a POST request could be empty when the Twisted server is used.

[web/data] remove images that aren't used anywhere

[web/data] Add missing images from jquery-ui 1.10.3 Closes #3175933

[web/navigation] use add_onload instead of inline javascript href This way our javascript code isn't thrown out by the html cleaner e.g. when using the rql rest directive and a table view. To make things simpler, we now always use ajax URLs for navigation, even when we would previously have used regular links. Closes #3501626

[web/data] fix treeview regression (closes #3526466) Changeset 68cde7431c2c "[js] remove 3.9 bw compat (where apparently unused)" removed the use of form.callback from loadxhtml, which treeview relied on. Update to add a callback on the loadxhtml return value instead.

backout 8f3e963501e2, which is not ready yet

[pkg] also bump it there

[pkg] prepare 3.17.13

[navigation] use add_onload instead of inline javascript href This way our javascript code isn't thrown out by the html cleaner e.g. when using the rql rest directive and a table view. Closes #3501626

[uilib] allow canvas tags in the html cleaner Used by the iprogress cube. Closes #3524254.

[ajax] use a custom tag to handle dynamically loaded js Using <pre class="script"> makes it trivial for a malicious user to inject arbitrary javascript into a html or rest text element (because it looks innocent to the html sanitizer). Using a custom tag we can be sure that it actually comes from our code and not from untrusted user data. IE ignores custom tags, though, so we put it in its own namespace. https://extranet.logilab.fr/1530578

[dataimport] fix comment

[hooks/security, devtools/fill] silence yams 0.38.0 warnings

Drop 3.13 incomplete backward compat in edit controller. It is very old and broken (there is another non-backward-copmpatible usage of `_cw_entity_fields`), better to remove it instead of fixing. Closes #3515223.

[devtools] force locale to C for postgresql test clusters Avoids initdb failure with e.g. iso8859-X locale and utf-8 encoding.

[rql2sql] remove special behaviour of symmetric relation vs DISTINCT 0542a85fe667 replacing SQL OR by hooks for symmetric relations allows that. This involve a single test value change for a border case: when querying a symmetric relation without specifying the subject nor the object, you may get some duplicated result. IMO this is fine to let the user explicitly use DISTINCT or not and to remove the dedicated handling we had which didn't let any choice. Related to #3259713

Typo in comments and error messages

Fix typo in a setup.py comment

[dataimport, migration] more fixes in the spirit of a6c32edabc8d: [entity, metadata] huuum, use resolvable url as cwuri... And fix existing ones. Closes #3390388

[doc] Fix typo in devrepo/fti

[doc/3.19] Clarify repoapi.get_repository usage Followup for 9a62c52d167e.

[server] use a connection instead of a session for user authentication

Use repoapi instead of dbapi for cwctl shell, upgrade and db-init Hopefully nobody uses dbapi-specific API in their migration scripts. I guess we'll find out.

[server/repo] use internal_cnx in init_sources_from_database

[server/session] avoid spurious warnings from Session.close Add internal non-noisy _rollback method.

[server] rename session to cnx in querier and plan They don't actually need a session, so let's make that clear.

[repo] Use a connection instead of a session for repo.stats()

[repo] Use a connection instead of a session for repo.gc_stats()

[repo] Use a connection instead of a session for repo.get_versions()

[webconfig] get_repository moved to repoapi

[schemaserial] Replace 'cursor' with 'cnx' We don't have cursors in rql, since execute is synchronous.