In ffc29ee043 (part of v1.0.0), a
qute://settings/set URL was added to change settings.
Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).
In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.
Fixes#4060
See #2332
The test above this one loads hello.txt, but we don't wait for the "load
finished" message, so it can arrive after the previous test already finished and
make this test not wait properly.
However, we also can't easily wait for the load finished message in the
previous test as it only appears with QtWebEngine, not QtWebKit.
As a workaround, we simply load another file in that test, to circumvent this
kind of cross-interaction.
This now works correctly in XML documents. The stylesheet is applied at
document creation to reduce flickering, and is updated if the
user_stylesheets setting is changed after page load.
When we open a background tab, it gets a hardcoded size (800x600 or so) because
it doesn't get resized by the layout yet.
By resizing it to the size it'll actually have later, we make sure scrolling to
an anchor in an background tab works, and JS also gets the correct size for
background tabs.
Fixes#1190Fixes#2495
See #1417
There's actually no good reason to filter javascript links as we might want to
click them (or copy their URL) just like any other link - this fixes#2404.
With that being gone, we don't need FILTERS at all anymore, as we can check for
existence of the href attribute in the CSS selector instead.
