When streaming, log messages now show the URL and IP of the originating
request, so that it's easier to determine what client is listening to
something on the server.
The `ClientAbortException` exception indicates that the connection was
closed by the client, usually for something the server can do nothing
about (e.g. navigating outside of the page while it's loading).
Since this error happens often, this commit displays shorter error
messages when it does, without a large stack trace.
All other exceptions are handled just as before.
The only place where the string `webfx` is mentioned
was in playQueue.jsp, to include a small css file, twice,
that only applies to webfx components, that aren't used
anywhere in the codebase.
The inline javascript used with the cancel buttons
was only used to change the location.
Instead of doing this, it's easier to wrap
the button in a tag.
This is related to #909.
- Fix a stupid self-XSS. I doubt that there are ways to
use it against other users, but well, better safe than sorry
- Replace the javascript-on-focus hacks with the `autofocus` attribute
Previously, lost passwords were generated via
org.apache.commons.lang.RandomStringUtils,
which is using java.util.Random internally.
This PRNG is has a 48-bit seed, that can easily be bruteforced
if an attacker is able to get the PRNG's output, for example
but resetting their own account multiple times,
leading to trivial privileges escalation attacks.
This commit makes use of java.security.SecureRandom
instead.