Hi everybody,
I suggest to remove the event handler attributes from the core and the internal plugins (meta_tags, page_params and filebrowser), and to replace them with event listeners. I prefer to keep JavaScript out of the generated HTML generally, as it tends to require painful escaping for anything non trivial (see Filebrowser_View::escapeForEventHandlerAttribute(), for instance), and seems to add some complexity to the dependency resolution. But more importantly, it would be a prerequisite for enabling Content Security Policy. According to the Content Security Policy Level 2 CR there may be workarounds via nonces and hashes, but that might introduce unnecessary complexity.
XH 1.7: Remove event handler attributes
XH 1.7: Remove event handler attributes
Christoph M. Becker – Plugins for CMSimple_XH
Re: XH 1.7: Remove event handler attributes
I propose this patch. It removes all event handler attributes[1] which I could find, and adds event listeners instead which are registered in a "jQuery style". To avoid introducing some general JS library, I've duplicated some code for now. We should consider to either use jQuery instead, or to roll a minimal JS library on our own, in one of the next sprints, but at least for now, this duplication seems to be tolerable.
[1] Except the $onload attributes used in the front-end (login form and password forgotten focusing), because we have not yet any JS resources for the front-end.
[1] Except the $onload attributes used in the front-end (login form and password forgotten focusing), because we have not yet any JS resources for the front-end.
Christoph M. Becker – Plugins for CMSimple_XH
Re: XH 1.7: Remove event handler attributes
Just a question as we didn't lock out older templates: Is this HTML < 5 - proof?
Besides impressive good work, Christoph.
regards
manu
Besides impressive good work, Christoph.
regards
manu
Re: XH 1.7: Remove event handler attributes
Yes. Using event listeners is actually more standards conforming, because they have been introduced in the DOM Level 2 Events Specification, whereas the exact behavior of event handler attributes may not have been standardized at all.manu wrote:Just a question as we didn't lock out older templates: Is this HTML < 5 - proof?
Thanks.manu wrote:Besides impressive good work, Christoph.
Christoph M. Becker – Plugins for CMSimple_XH
Re: XH 1.7: Remove event handler attributes
Done (r1535).
Christoph M. Becker – Plugins for CMSimple_XH