pluginhost: rework run_hooks() to be shorter, add callback variant; implement exception handling for both

PluginHost: add HOOK_HEADLINE_TOOLBAR_SELECT_MENU_ITEM
Headlines.onActionChanged: removed

- fix vulnerability in rewrite_relative_url() which prevented some URLs from being properly absolutized
- fetch_file_contents: validate all URLs before requesting them
- validate URLs: explicitly whitelist http and https scheme, forbid everything else
- DiskCache/cached_url: only serve whitelisted content types (images, video)
- simplify filename/URL handling code, remove and consolidate some less-used functions

* pass feed id to HOOK_FEED_PARSED

remove hardcoded iframe domain whitelist, make iframe script whitelisting configurable by plugins (HOOK_IFRAME_WHITELISTED)

* DiskCache: multiple fixes; support isWritable() for cache entries, set content-disposition for send()
* public/cached_url: allow selecting files from sub-caches other than images
* plugins/Cache_Starred_Images: rework to use DiskCache, can be enabled per-user, properly handles article enclosures, etc

plugins: add HOOK_GET_FULL_TEXT which may be used to provide full text extraction to core code and other plugins, instead of trying to invoke af_readability specifically

 * support various logging levels per-message
 * remove hacks like debug_suppress, DAEMON_EXTENDED_DEBUG, etc
 * _debug() is kept as a compatibility shim for plugins