Bug #13501
closedAvoid inline events, in favour of JavaScript events
100%
Description
With the introduction of CSP, if enabled, the default will not use unsafe-inline. This block inline JavaScript handlers from running. A DOM element like <div onclick="doSomething()">Click me!</div> will not be allowed to run.
The browser will block this event handler from running.
There are several places where we do rely on this. They should be replaced in favor of pure JavaScript functionality. An easy equivalent is when having a <div id="{id}">Click me!</div>, to define a Wt.$('{id}').onclick = doSomething(); This completely equivalent, and allowed by the CSP, since all JavaScript that is executed is done so from the context of the initial framework set-up, which passed the nonce test, and can execute any JavaScript from it, thanks for strict-dynamic.
Updated by Matthias Van Ceulebroeck 11 days ago
- Status changed from InProgress to Review
- Assignee changed from Matthias Van Ceulebroeck to Romain Mardulyn
Updated by Matthias Van Ceulebroeck 11 days ago
- Status changed from Review to Implemented @Emweb
- Assignee changed from Romain Mardulyn to Matthias Van Ceulebroeck
- % Done changed from 0 to 100
Updated by Matthias Van Ceulebroeck 4 days ago
- Status changed from Implemented @Emweb to Implemented @Test
Updated by Matthias Van Ceulebroeck 4 days ago
- Status changed from Implemented @Test to Closed