upgrade Aspen to 0.39+

[chadwhitacre]

0.39 has the changes we're interested in. Here's the Changelog:

https://github.com/gratipay/aspen-python/blob/master/Changelog.md#040---released-mon-jun-29-2015-by-whit537

[chadwhitacre]

I'm skunked by AspenWeb/pando.py#462 for now. :-(

[chadwhitacre]

Down to one test failure. I'm using an unreleased version of Aspen locally that includes AspenWeb/pando.py#463. I'm waiting to cut a new Aspen release until we're sure we've got a version that's going to work with Gratipay.

[chadwhitacre]

I also want to double-check the interaction of redirect_to_base_url and website.redirect.

[chadwhitacre]

Here's the diff of the output from master and this branch for the failing test:

--- good.txt    2015-07-01 07:31:09.000000000 -0400
+++ bad.txt 2015-07-01 07:43:17.000000000 -0400
@@ -186,8 +186,8 @@

             <p>To receive money, do something awesome and then tell people about it:</p>
             <ol>
-                <li><a href='/alice/'>Fill out your profile</a> to let others know about you.</li>
-                <li>Reach a wider audience by <a href='/alice/widgets'>embedding our widgets</a> on your blog/website.</li>
+                <li>&lt;a href=&#39;/alice/&#39;&gt;Fill out your profile&lt;/a&gt; to let others know about you.</li>
+                <li>Reach a wider audience by &lt;a href=&#39;/alice/widgets&#39;&gt;embedding our widgets&lt;/a&gt; on your blog/website.</li>
             </ol>
         </div>

[chadwhitacre]

In other words, we're escaping HTML when we don't want to.

[chadwhitacre]

I believe this has something to do with our i18n plumbing relative to the scoping changes in simplates (see AspenWeb/pando.py#462, etc.).

[chadwhitacre]

Hypothesis: the htmlescape function is never making it into the simplate rendering context, because it's being placed in the state dict, which no longer influences rendering context as of AspenWeb/pando.py#463. Therefore, the return value of get_text is a string and not a MarkupSafe (or whatevs), so the autoescaping kicks in and escapes it.

[chadwhitacre]

Yeah, it's because the context in the lambdas for {n_,}get_text are bound to state.

[chadwhitacre]

I guess we need a new way to influence template context from algorithm functions. Maybe an explicit state['render_context'] reference?

[chadwhitacre]

I also want to double-check the interaction of redirect_to_base_url and website.redirect.

Looking at this now ...

[chadwhitacre]

Rebased on master to pick up #3581.

[chadwhitacre]

Ready for review.

[chadwhitacre]

Ping @rohitpaulk @rorepo @kzisme @techtonik et al. I'd like to get this out the door today, because it addresses security issues (we really should've done this in https://github.com/gratipay/security-qf35us before making that public :-( ).

[chadwhitacre]

Proceeding since it's security-related.