[web/data] remove images that aren't used anywhere

[web/data] Add missing images from jquery-ui 1.10.3 Closes #3175933

[web/navigation] use add_onload instead of inline javascript href This way our javascript code isn't thrown out by the html cleaner e.g. when using the rql rest directive and a table view. To make things simpler, we now always use ajax URLs for navigation, even when we would previously have used regular links. Closes #3501626

[web/data] fix treeview regression (closes #3526466) Changeset 68cde7431c2c "[js] remove 3.9 bw compat (where apparently unused)" removed the use of form.callback from loadxhtml, which treeview relied on. Update to add a callback on the loadxhtml return value instead.

backout 8f3e963501e2, which is not ready yet

[pkg] also bump it there

[pkg] prepare 3.17.13

[navigation] use add_onload instead of inline javascript href This way our javascript code isn't thrown out by the html cleaner e.g. when using the rql rest directive and a table view. Closes #3501626

[uilib] allow canvas tags in the html cleaner Used by the iprogress cube. Closes #3524254.

[ajax] use a custom tag to handle dynamically loaded js Using <pre class="script"> makes it trivial for a malicious user to inject arbitrary javascript into a html or rest text element (because it looks innocent to the html sanitizer). Using a custom tag we can be sure that it actually comes from our code and not from untrusted user data. IE ignores custom tags, though, so we put it in its own namespace. https://extranet.logilab.fr/1530578

[dataimport] fix comment

[hooks/security, devtools/fill] silence yams 0.38.0 warnings