templates: align forms for repo creation and repo settings

99% whitespace changes and reordering.

html: put 'use strict' on separate lines

use.py:
import re
import sys
for fn in sys.argv[1:]:
with open(fn) as f:
s = f.read()
s = re.sub(r'''(<script>)('use strict';)\n( *)''', r'''\1\n\3\2\n\3''', s)
with open(fn, 'w') as f:
f.write(s)

python use.py $(hg loc 'kallithea/templates/**.html')

js: use strict ... and fix the problems it points out

"use strict" gives stricter checks, both statically and at runtime. The
strictness tightens up the code and prevents some kinds of problems.

The <script> tag addition might not be pretty, but has consistently been added
with:

sed -i 's,<script>$,&'"'"'use strict'"'"';,g' `hg loc '*.html'`

clone_url: always pass a clone_uri_tmpl, with Repository.DEFAULT_CLONE_URI as last resort

clone_url() had a layering violation of using c.clone_uri_tmpl . This
refactoring now makes it clear that this only was used from
PullRequest.__json__(), so move the hack there and simplify it.

locking: drop the pull-to-lock / push-to-unlock functionality

The feature is not worth the maintenance cost. The locking is too coarse and
unflexible with insufficient UI and UX. The implementation is also quite
invasive in tricky areas of the code, and thus high maintenance.
Dropping this will enable other cleanup ... or at least make it easier.

users: remove code that is unused after most autocomplete has been switched to ajax

@mention support still require _USERS_AC_DATA as a global variable.

autocomplete: use select2 when selecting owner of repos and PRs

This is a minimal change to SimpleUserAutoComplete, inspired by Dominik Ruf.

The UX is slightly different than before, with select2 putting up an extra
input field, already before typing anything.

We use minimumInputLength 1 to get the same behaviour as before and avoid
displaying all users in a list. This field will always have an old value and
the placeholder is thus never used, but we show it instead of the default
"Please enter 1 or more character" message.

The initSelection iteration is not pretty, but no more complex than what
happens when filtering the user list, and it has the advantage of giving a nice
name/gravatar display of the current user.

autocompletion: drop explicit container elements - just create them when necessary

The previous wide styling of the @mention selection list didn't look pretty -
just use the default width.

Inspired by select2 port by Dominik Ruf.

style: drop form-horizontal - our style is much closer to plain Bootstrap forms

form-horizontal is made for grid markup. It give form-groups a negative margin
to break out of the grid ... but the way we use it for settings, we have to do
weird things to undo that. The default styling for forms is much closer to what
we want. It looks ok without our custom styling and is easier to style to our
style.

If we want grid markup with form-horizontal, it would be correct to
re-introduce both at once.

templates: properly escape inline JavaScript values

TLDR: Kallithea has issues with escaping values for use in inline JS.
Despite judicious poking of the code, no actual security vulnerabilities
have been found, just lots of corner-case bugs. This patch fixes those,
and hardens the code against actual security issues.

The long version:

To embed a Python value (typically a 'unicode' plain-text value) in a
larger file, it must be escaped in a context specific manner. Example:

>>> s = u'<script>alert("It\'s a trap!");</script>'

1) Escaped for insertion into HTML element context

>>> print cgi.escape(s)
&lt;script&gt;alert("It's a trap!");&lt;/script&gt;

2) Escaped for insertion into HTML element or attribute context

>>> print h.escape(s)
&lt;script&gt;alert(&#34;It&#39;s a trap!&#34;);&lt;/script&gt;

This is the default Mako escaping, as usually used by Kallithea.

3) Encoded as JSON

>>> print json.dumps(s)
"<script>alert(\"It's a trap!\");</script>"

4) Escaped for insertion into a JavaScript file

>>> print '(' + json.dumps(s) + ')'
("<script>alert(\"It's a trap!\");</script>")

The parentheses are not actually required for strings, but may be needed
to avoid syntax errors if the value is a number or dict (object).

5) Escaped for insertion into a HTML inline <script> element

>>> print h.js(s)
("\x3cscript\x3ealert(\"It's a trap!\");\x3c/script\x3e")

Here, we need to combine JS and HTML escaping, further complicated by
the fact that "<script>" tag contents can either be parsed in XHTML mode
(in which case '<', '>' and '&' must additionally be XML escaped) or
HTML mode (in which case '</script>' must be escaped, but not using HTML
escaping, which is not available in HTML "<script>" tags). Therefore,
the XML special characters (which can only occur in string literals) are
escaped using JavaScript string literal escape sequences.

(This, incidentally, is why modern web security best practices ban all
use of inline JavaScript...)

Unsurprisingly, Kallithea does not do (5) correctly. In most cases,
Kallithea might slap a pair of single quotes around the HTML escaped
Python value. A typical benign example:

$('#child_link').html('${_('No revisions')}');

This works in English, but if a localized version of the string contains
an apostrophe, the result will be broken JavaScript. In the more severe
cases, where the text is user controllable, it leaves the door open to
injections. In this example, the script inserts the string as HTML, so
Mako's implicit HTML escaping makes sense; but in many other cases, HTML
escaping is actually an error, because the value is not used by the
script in an HTML context.

The good news is that the HTML escaping thwarts attempts at XSS, since
it's impossible to inject syntactically valid JavaScript of any useful
complexity. It does allow JavaScript errors and gibberish to appear on
the page, though.

In these cases, the escaping has been fixed to use either the new 'h.js'
helper, which does JavaScript escaping (but not HTML escaping), OR the
new 'h.jshtml' helper (which does both), in those cases where it was
unclear if the value might be used (by the script) in an HTML context.
Some of these can probably be "relaxed" from h.jshtml to h.js later, but
for now, using h.jshtml fixes escaping and doesn't introduce new errors.

In a few places, Kallithea JSON encodes values in the controller, then
inserts the JSON (without any further escaping) into <script> tags. This
is also wrong, and carries actual risk of XSS vulnerabilities. However,
in all cases, security vulnerabilities were narrowly avoided due to other
filtering in Kallithea. (E.g. many special characters are banned from
appearing in usernames.) In these cases, the escaping has been fixed
and moved to the template, making it immediately visible that proper
escaping has been performed.

Mini-FAQ (frequently anticipated questions):

Q: Why do everything in one big, hard to review patch?
Q: Why add escaping in specific case FOO, it doesn't seem needed?

Because the goal here is to have "escape everywhere" as the default
policy, rather than identifying individual bugs and fixing them one
by one by adding escaping where needed. As such, this patch surely
introduces a lot of needless escaping. This is no different from
how Mako/Pylons HTML escape everything by default, even when not
needed: it's errs on the side of needless work, to prevent erring
on the side of skipping required (and security critical) work.

As for reviewability, the most important thing to notice is not where
escaping has been introduced, but any places where it might have been
missed (or where h.jshtml is needed, but h.js is used).

Q: The added escaping is kinda verbose/ugly.

That is not a question, but yes, I agree. Hopefully it'll encourage us
to move away from inline JavaScript altogether. That's a significantly
larger job, though; with luck this patch will keep us safe and secure
until such a time as we can implement the real fix.

Q: Why not use Mako filter syntax ("${val|h.js}")?

Because of long-standing Mako bug #140, preventing use of 'h' in
filters.

Q: Why not work around bug #140, or even use straight "${val|js}"?

Because Mako still applies the default h.escape filter before the
explicitly specified filters.

Q: Where do we go from here?

Longer term, we should stop doing variable expansions in script blocks,
and instead pass data to JS via e.g. data attributes, or asynchronously
using AJAX calls. Once we've done that, we can remove inline JavaScript
altogether in favor of separate script files, and set a strict Content
Security Policy explicitly blocking inline scripting, and thus also the
most common kind of cross-site scripting attack.

style: add missing 'form-control' markup

Based on work by Dominik Ruf.

style: drop 'textarea' class inside 'form-group'

Temporarily, just apply styling to div inside form-group. Also, 'radios' is gone.

Based on work by Dominik Ruf.

style: drop 'checkboxes' class inside 'form-group'

Temporarily, just apply styling to div inside form-group. Also, 'radios' is gone.

Based on work by Dominik Ruf.

style: drop 'input' class inside 'form-group'

As long as we use the old styling, just apply styling to div inside form-group.

Based on work by Dominik Ruf.

templates: use Bootstrap compatible 'form-control' name instead of 'medium' & co

In Bootstrap, form controls tend to be 100%.

style: refactor form label styling to prepare for Bootstrap and get rid of wrapping with 'label' class

Based on work by Dominik Ruf.

style: put all admin form buttons in a form-group, as our future Bootstrap likes it

Based on work by Dominik Ruf.

style: in preparation for Bootstrap, refactor to use Bootstrap compatible form class names

Based on work by Dominik Ruf.

Mostly:

sed -i \
-e 's,<table>,<table class="table">,g' \
-e 's,<div class="fields">,<div class="form-horizontal">,g' \
-e 's,<div class="field">,<div class="form-group">,g' \
-e 's,<label for="\([^"]*\)">,<label class="control-label" for="\1">,g' \
`hg mani`

cat kallithea/public/css/style.css | \
sed -e '/\.fields\>/{p;s/\.fields/.form-horizontal/g}' | \
sed -e '/\.fields\>/s/ {$/,/g' | \
sed -e '/\.field\>/{p;s/\.field\>/.form-group/g}' | \
sed -e '/\.field\>/s/ {$/,/g' | \
sed -e '/\.fields\>.*\.form-group\>/d' | \
sed -e '/\.form-horizontal\>.*\.field\>/d ' | \
cat - > kallithea/public/css/style.css.tmp
mv kallithea/public/css/style.css.tmp kallithea/public/css/style.css

style: in preparation for bootstrap, use bootstrap compatible button class names

Give all buttons a styling (default, success, danger, warning) and rename the sizes to sm and xs.

This is a subset of a bigger changeset. The subset was extracted by Mads Kiilerich, mostly by:

sed -i \
-e 's,btn btn-small,btn btn-default btn-sm,g' \
-e 's,btn btn-mini,btn btn-default btn-xs,g' \
-e 's,btn-default btn-\(xs\|sm\) btn-\(success\|danger\|warning\),btn-\2 btn-\1,g' \
-e 's,class_="btn",class_="btn btn-default",g' \
`hg mani`

db: PullRequest/Repository/RepoGroup/UserGroup: change 'user' to 'owner'

Rename the 'user' and 'user_id' fields on the four classes to something
more informative. The database column names remain unchanged for now;
a later Alembic script can fix the name of these and other columns to
match their Python name.

This might break rcextensions, though, and external scripts that use
the HTML form interface.

js: refactor AutoComplete functions to pass jQuery results around until DOM elements are passed to YUI

A small step forward that enables other refactorings.

repos: fix abuse of dead 'repo' routing

The repo "show" controller didn't do anything and was unused. There was a
routing GET entry for it but it was only used for generating URLs for DELETE
and PUT operations that have separate controllers that happen to have the same
URL.

Use the right routing entries when generating URLs and drop the dead code.

remote: simplify clone_uri UI

The UI was a bit weird ... probably in an attempt of making it editable while
hiding passwords. Instead, just show the URL with password hidden, and only
save it back if it changed.

The UI only contains the clone_uri with passwords hidden. It will thus only be
saved when the form result is different from the value that was shown to the
user.

autocomplete: fix completion of repository owner

The owner field of a repository setting was supposed to be autocompletable,
but never really did (at least not in Kallithea, probably it once did in
Rhodecode).

Instead of making yet another 'OwnerAutoComplete', make a generic
SimpleUserAutoComplete that can be reused in other places that only need
completion of a text input field.

Refer to “remote repository” and “clone” consistently in templates.

Modified by Mads Kiilerich.

templates: whitespace/linebreak cleanup around "remote URL"

Minimize the diff from
http://lists.sfconservancy.org/pipermail/kallithea-general/2015q2/000710.html
so it more easily can be reviewed.

spelling: fix title casing on translated template strings

Primarily texts.

spelling: consistent capitalization of URL

Change Url / url into URL.
Additionally, convert the sole use of 'Uri' to URL.

remotes: add support to clone from Mercurial repositories over ssh

This commit adds support to clone a remote Mercurial repository over ssh.

Interactive password authentication is not implemented, nor is support for
pbulic key authentication with passphrases; the repository should be
accessible using bare ssh key authentication.
For this reason, the ssh options -oBatchMode=yes and -oIdentitiesOnly=yes
are added to the ui.ssh setting of Mercurial.

spelling: fix various typos

This commit fixes various typos or basic English grammar mistakes found by
reviewing the kallithea.pot file.

Full correction of sentences that are not very well formulated, like missing
articles, is out of scope for this commit. Likewise for inconsistent
capitalization of strings like 'Repository group'/'Repository Group'.

Second step in two-part process to rename directories.
This is the actual directory rename.