* Prevent non-ugoira posts from getting dummy frame data records with
all the columns set to null.
* Make `data` and `content_type` columns NOT NULL, since they should
always be present.
* Remove the timestamps while we're at it, since they don't seem
necessary for anything.
* Change the id of the canvas tag to 'image'. This is what the notes JS
expects. It's also what the shift+e edit shortcut depends on.
* Add data-original-width/height attributes, which are what the notes JS
needs to position notes properly.
* Add all the other data attributes that regular images have, because
why not.
This refactors things such that
* Fetching the ugoira frame data happens at the end of rewrite, not
rewrite_html_pages. This way uploading zip URLs should work.
* The source data is cached in an instance variable in case it
was indeed fetched during rewrite_html_pages. This way it doesn't get
fetched a second time.
file.get_input_stream leaves the file open by default, which means the
zip cannot be moved later on. But the block version of it closes the
file automatically.
mkvmerge didn't realize it was supposed to output a webm specifically
because write_path does not have a file extension. The --webm option
tells it this instead.
Some browsers like Chrome (and some video players like MPC-HC) do not
display the last frame of a webm (or they display it, but only very
briefly) if set to loop. This commit is a hack to force the last frame
to display for the correct amount of time by duplicating it.
* Fix regex for getting frame data not working if agent is logged in to
pixiv
* Fix #unpack not returning the unpacked folder
* Fix frame_data being inaccessible because it was a local variable
* Fix images getting put in tmpdir, when they're expected to be in
tmpdir/images
* Fix deleting the tmpdir manually (it gets deleted automatically)
* Fix output webm being put in tmpdir (which gets deleted) instead of
write_path
1) Put `<script>alert("xss 1")</script>` in the Other Names field in an
artist entry.
2) Put `<script>alert("xss 2")</script>` in the URLs field.
3) Trick someone into the viewing the history page for that artist.
This vulnerability allows someone to create a source link that appears
to lead to Pixiv like normal, but that actually executes Javascript code
when clicked.
1) Set the source of a post to javascript:"http://img1.pixiv.net/img/xss/";alert("xss");
2) Wait for someone to click the source link in the Information sidebar.
3) Profit.
The cause is that the regexes for detecting Pixiv URLs aren't anchored
to the front of the string using \A. This allows non-http:// links to be
created.
