- Security fix/Breaking change (Imagelib): Require allowedImageLibOrigins

config array be set with safe origins or otherwise reject `postMessage`
  messages in case from untrusted sources
- Security fix/Breaking change (xdomain): Namespace xdomain file to avoid
  it being used to modify non-xdomain storage
- Security fix (Imagelib): Expose `dropXMLInternalSubset` to extensions
  for preventing billion laughs attack (and use in Imagelib)

editor/extensions/imagelib/index.js

@@ -31,7 +31,7 @@ $('a').click(function () {
       try {
         data = canvas.toDataURL();
       } catch (err) {
-        // This fails in Firefox with file:// URLs :(
+        // This fails in Firefox with `file:///` URLs :(
         alert('Data URL conversion failed: ' + err);
         data = '';
       }