Age | Commit message (Collapse) | Author |
|
In ffc29ee043ae7336d9b9dcc029a05bf7a3f994e8 (part of v1.0.0), a
qute://settings/set URL was added to change settings.
Contrary to what I apparently believed at the time, it *is* possible for
websites to access `qute://*` URLs (i.e., neither QtWebKit nor QtWebEngine
prohibit such requests, other than the usual cross-origin rules).
In other words, this means a website can e.g. have an `<img>` tag which loads a
`qute://settings/set` URL, which then sets `editor.command` to a bash script.
The result of that is arbitrary code execution.
Fixes #4060
See #2332
(cherry picked from commit 43e58ac865ff862c2008c510fc5f7627e10b4660)
|
|
|
|
Fixes #3697
(cherry picked from commit fd9e7bed7fd9842eac22ed304a094a92cc953577)
(cherry picked from commit 84c7c37e8eb61f7e3dddbbfc6dbbcfd3f5afeffd)
|
|
For some reason, macOS doesn't care about us disabling software rendering
(cherry picked from commit d232b3ea57a7379c3776a0d65bd5b8fa4f29b42e)
|
|
When we reload a page because of a config change, we won't get another
titleChanged signal (at least sometimes).
Also, the predicted_navigation signal is worthless when reloading anyways, as
we're going to load the same URL and not something different.
Fixes #3718
(cherry picked from commit 0418a865c17c26720219e33a67c88410a6ac7181)
|
|
(cherry picked from commit 35beff98a94213f725a0a568e4d2a81d2b43c926)
|
|
(cherry picked from commit a6e94cf30cdca42ab93ac7801d2f044248880d01)
|
|
This got fixed properly in master, but can stay like this in this branch.
|
|
Fixes #3701
(cherry picked from commit b88ac51d25da043ca431b2cc12a353f34bce06f7)
|
|
Fixes #3706
(cherry picked from commit 1c9598d2c00257ea82fda211f3e734bcc3e76524)
|
|
(cherry picked from commit 8c5b7bcd0395f113383a730752b766636c50f776)
|
|
This makes sure the internal bindings.commands object only contains normalized
key sequences.
Fixes #3699
(cherry picked from commit 994181212734cacdfa6e4d7cb35402881282bf4f)
|
|
We can't easily make it work for ListOrValue as we don't know which of both we
get at this point.
(cherry picked from commit 990c0707f4533bab35be1c24dd7dca759fc8fdcd)
|
|
(cherry picked from commit c03ef10d54e2129d309ea5d6c40471efa105764e)
|
|
This hopefully helps with detaching it properly.
(cherry picked from commit 27c2650245687cb8e50a7a2984ab5ad76dade053)
|
|
Fixes #3662
(cherry picked from commit 30ab1d02180eb58ed538e7b3c9528a1f5c0a90c1)
|
|
See #3238
(cherry picked from commit f0a649e101d7a6563d9ce60d474f6f7ea3b3f9a9)
|
|
The URLs and the patching were changed in
96e8151ccef1ee4e497106678432e3025f39d6d2 but not in quickstart.asciidoc.
(cherry picked from commit 75ab8f077d8de8da17b681ca02c06f24516714b1)
|
|
Fixes #3698
(cherry picked from commit d9f7d401c612706f08600225dd8ee3dbcb428b46)
|
|
|
|
|
|
|
|
When we press "s<Escape>", we don't want <Escape> to be handled as part of a key
chain.
|
|
|
|
|
|
|
|
|
|
See https://bugreports.qt.io/browse/QTBUG-66104
|
|
See #3687
[ci skip]
|
|
Fixes #3686
|
|
Might run more stable, and makes more sense anyways.
|
|
|
|
1899e313fd4f0a35cb71390053ebbcb8df451537 as a fix for #3631 broke :unbind, as
the config system treats None and '' equally.
Instead, allow None/'' again, but just handle it as "no binding".
|
|
This was introduced (most likely accidentally) in
9cbacf3264fdfcbf491a48811de151779f0ebebc.
Fixes #3631
|
|
|
|
This should avoid a double-reload for 'tsh' etc.
|
|
Closes #3143
|
|
|
|
This mostly reverts 4ef5db1bc4b5205812714a57d29daa59224afe8b for #1966, but
fixes #3684 by allowing numbers to be bound again. If the user wants to bind
numbers instead of using them for a count, why not let them.
|
|
Fixes #3131
|
|
|
|
|
|
Fixes #3678
|
|
|
|
|
|
|
|
|
|
See #3648
|
|
|
|
With QtWebKit it's probably okay to still use it (*cough* Hyperbola
GNU/Linux-libre^tm *cough*), and only blacklisting it with QtWebEngine would be
quite some effort.
Fixes #3608
|