feat(add-ons): validate CDN fetch locations

[nijel]

Validate both local and remote locations before processing and when configuring the add-on.

[Copilot]

Pull request overview

Adds stricter validation for Weblate CDN add-on “Extract strings from HTML files” inputs (both local paths and remote URLs), aligning remote URL handling with ALLOWED_ASSET_DOMAINS and preventing unsafe repository file access.

Changes:

• Introduce validate_asset_url() and cover it with unit tests.
• Validate/guard CDN add-on extraction sources in both the configuration form and the parsing task (remote domain allowlist + local filename validation).
• Document the new restriction and add a changelog entry.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
weblate/utils/validators.py	Adds validate_asset_url() enforcing ALLOWED_ASSET_DOMAINS for http(s) URLs.
weblate/utils/tests/test_validators.py	Adds unit test coverage for the new asset URL validator.
weblate/addons/tasks.py	Validates remote URLs and local paths before reading/downloading content for extraction.
weblate/addons/forms.py	Validates each configured file/URL line on add-on configuration save.
weblate/addons/tests.py	Adds integration tests ensuring extraction refuses path traversal and disallowed remote domains.
docs/devel/html.rst	Documents that remote URLs are restricted by ALLOWED_ASSET_DOMAINS.
docs/admin/config.rst	Notes ALLOWED_ASSET_DOMAINS is used by the CDN add-on remote HTML downloads.
docs/changes.rst	Adds a bugfix changelog entry for validating parsed locations.