Our `.eslintrc.yml` configuration file already allows for avoiding escape (see [ESLint doc for `avoidEscape`](https://eslint.org/docs/rules/quotes#avoidescape)) so we might as well use it. We already use this in a few places I believe.
If the Content-Length header is present in the response when an image
is prefetched, The Lounge can avoid wasting bandwidth (both for itself
and for the image's host) if the value of the header exceeds the
prefetch size limit by aborting the request immediately.
This has the benefit of not adding `.preview` divs everywhere, anytime we use `parse()`, and also to un-tie the position of the preview blocks from the result of the helper. This means that templates that call `parse` and have some extra markup after that are not constrained anymore.
This is effectively an alternative, better way to fix https://github.com/thelounge/lounge/issues/1343, but the initial fix that was put in place (https://github.com/thelounge/lounge/pull/1347) is still relevant, for example to make sure a preview stays hidden (and does not add extra margin/padding/etc.) if the link does not prefetch.
- Load up to 5 previews per message (to avoid abuse)
- Do not load multiple times the same URL
- Prepare preview containers per message instead of appending (to maintain correct order)
- Store an array of previews instead of a single preview in `Msg` objects
- Consolidate preview rendering for new messages and upon refresh/load history (when rendering entire channels)
- Update `parse` tests to reflect previous point
- Add test for multiple URLs
- Switch preview tests from `assert` API to `expect` API
Several ES6 additions are only available in strict mode. Example:
> SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode
Strict mode was also enabled in a few of our files already, and it is a good thing to have anyway.
This reverts commit 29b66ff0ec.
Rationale:
1) It's not a security feature (abuse of prefetch can be on any server it's not
more/less risky on localhost), it's pseudo-security measure
2) It's not to us to judge if it has no use-case (in fact it has, ex: two dev
speaking and experimenting about urls of their local site/app instance,
local web apps...)
refs #388