Currently, in order for Converse.js to recognize a pasted URL as an
image, it must be an URL whose protocol is `https:` (`https` in the
URI.js library's notation). This is sensible, but means that any
non-HTTPS image URL is not recognized as a valid URL (and thus will not
be rendered inline, even if `show_images_inline` is set to `true`).
It is important to always check for HTTPS URLs when in a secure context
(i.e., the initial page load was requested via HTTPS) in order to ensure
that non-secured content does not mix with secured content. However, the
inverse is not true: if the original page was loaded over HTTP, then
enforcing HTTPS for images adds arguably no meaningful protection while
also breaking the `show_images_inline` feature for the edge cases where
Converse.js is deployed without HTTPS and a user pastes an HTTP URL.
This patch changes the behavior of the `isImageURL` method such that the
requirement for the pasted URL's protocol to be `https:` is enforced
only when the `window.location.protocol` itself is also `https:`. By
doing this, we ensure that secure origins (i.e., when Converse.js is
loaded over HTTPS initially) are still secured and cannot have non-HTTPS
content introduced to the page via a pasted non-HTTPS URL, however it
also allows non-HTTPS origins to render both HTTP and HTTPS image URLs.
As per XEP-0004, the default "type" of data form fields is
"text-single", so a missing "type" attribute should not be treated
differently.
This fixes handling of CAPTCHAs offered by ejabberd.
* Replace `tearDown` overrides with event handlers.
* Move presence listeners to `connected` event handler, otherwise they
don't get called when logging in again after disconnection.
* Add `clearSession` listeners to clean up upon disconnection.
* Use `Promise.all` instead of listening for multiple events.
Don't check for older messages with same msgid
we can't rely on a message's `id` attribute being unique.
Also, remove `createMessage` in favour of calling `messages.create` directly.
