Whenever we use a typeahead, we should use the escaping highlighter
unless we're explicitly going to put sanitized content in it.
(imported from commit 33086327fe56a7bcbbbf8a08fe3f39800b195e75)
This also cleans up the autocomplete source specifications,
making the three typeaheads all look fairly consistent.
(imported from commit e72655d715db74cfc9ab45b51e7e2ff9e8ea84c5)
This makes the diff a bit cleaner.
Revert "Interim measure: Escape fullnames as well."
This reverts commit a634e6ac39ea337be499889b3ff64b3c4f4fcccb.
Revert "Interim measure: Escape subject names before they go into the typeahead."
This reverts commit 806bc719ab296ec0fe299b33c7aa6767a0c71b9d.
(imported from commit 5a579e3535846b2bc612cf03e43c562c83119812)
While we're at it, fix the fact that we're currently not adding
entries to the subscriptions_table at all when we do
subscribe-and-send.
(imported from commit 99bf574a4a296463e562a44186e2282654464542)
I'm sure this problem exists in a latent way with stream names and
email addresses as well. Once I figure out a general way to fix this,
I'd like to go back and handle these three cases in a cleaner,
symmetric way, but this'll do for now.
(imported from commit a634e6ac39ea337be499889b3ff64b3c4f4fcccb)
This is problematic because if your subject name is <b>hi</b>,
selecting it from the typeahead comes back with:
<b>hi</b>
which obviously isn't really OK.
(imported from commit 806bc719ab296ec0fe299b33c7aa6767a0c71b9d)
Validation was happening, but was not preventing sending. We now
just manually call the validation function in compose.finish()
instead of relying on jquery.form's beforeSubmit option.
(imported from commit e094832bf8948f4c6f58cc0d0923bf0fd09db4b1)
It's possible that the three places we can kill a popover
(body click, Esc, clicking on a new one) should be
refactored to use the same code.
(imported from commit ba7eab480fd2258abfb469c8f1155f29bc63f7f6)
We weren't listing to compose finish events during reload previously,
which meant that finishing a message was not handled in the same way
as canceling a message.
(imported from commit 4f2576121a8b5354c94348bc2896a2db8c4be000)
This would only happen when you hit enter directly, instead of using
the search up / down buttons.
(imported from commit 90301f64b3f24e91c103342bd6a7f1b3e61f8928)
Per the docs, these are only meant to be used on arrays of DOM elements.
jQuery might one day assign a different meaning to arrays of strings,
and then we could have some security issues or weird breakage.
(imported from commit 545eee1e9c6955556d5c4bda30cd6db0dce19c60)
Instead we infer this from narrow.active(), with the ability to override during
the narrowing procedure.
(imported from commit fab9c6861f19aedf0ee8af094c1ef4e8a0a73d80)
This simplifies the code, and lets us set the CSRF cookie as HttpOnly, which
adds a little bit of security.
(imported from commit 9d5923a1acf19bd27e6e1d55cf627049526de245)
This reverts commit 074011dfe7dfa4d3cb331b32fc6cf465f98d095f. For
some reason this introduces some buggy behavior, and if anything I
should debug it more locally first.
(imported from commit 182193e6bb466a5668c2bb64e41712a793fa7ca2)
