XH 1.7: Remove event handler attributes

[cmb]

Hi everybody,

I suggest to remove the event handler attributes from the core and the internal plugins (meta_tags, page_params and filebrowser), and to replace them with event listeners. I prefer to keep JavaScript out of the generated HTML generally, as it tends to require painful escaping for anything non trivial (see Filebrowser_View::escapeForEventHandlerAttribute(), for instance), and seems to add some complexity to the dependency resolution. But more importantly, it would be a prerequisite for enabling Content Security Policy. According to the Content Security Policy Level 2 CR there may be workarounds via nonces and hashes, but that might introduce unnecessary complexity.

[cmb]

I propose this patch. It removes all event handler attributes[1] which I could find, and adds event listeners instead which are registered in a "jQuery style". To avoid introducing some general JS library, I've duplicated some code for now. We should consider to either use jQuery instead, or to roll a minimal JS library on our own, in one of the next sprints, but at least for now, this duplication seems to be tolerable.

[1] Except the $onload attributes used in the front-end (login form and password forgotten focusing), because we have not yet any JS resources for the front-end.

[manu]

Just a question as we didn't lock out older templates: Is this HTML < 5 - proof?
Besides impressive good work, Christoph.
regards
manu

[cmb]

Just a question as we didn't lock out older templates: Is this HTML < 5 - proof?

Yes. Using event listeners is actually more standards conforming, because they have been introduced in the DOM Level 2 Events Specification, whereas the exact behavior of event handler attributes may not have been standardized at all.

Besides impressive good work, Christoph.

Thanks.

[cmb]

Done (r1535).