Skip to content

Remove inline Javascript, part I #9513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3,830 commits into
base: master
Choose a base branch
from
Draft

Remove inline Javascript, part I #9513

wants to merge 3,830 commits into from

Conversation

pabzm
Copy link
Member

@pabzm pabzm commented Jun 21, 2024
edited
Loading

As part of #9508 here's a change that removes add_script() and transports js_commands in JSON, which then gets interpreted as callbacks to call with given arguments, instead of evaling strings.

This does not tackle the many inline event handlers, in order to keep it manageable.

alecpl and others added 30 commits February 9, 2024 21:11
@alecpl
Fix phpstan errors
d33737c
@alecpl
Fix phpstan errors
6ca7237
@alecpl
Fix phpstan errors
c640704
@alecpl
Fix CS/phpstan error
c88d92f
@alecpl
Merge branch 'master' of https://github.com/Popyllol/roundcubemail in…
cd1beac 
…to Popyllol-master
@alecpl
Update changelog, CS fixes
ef716f6
@alecpl
Merge branch 'Popyllol-master'
c21f5f0
@mvorisek
Increase phpstan level to 4 (roundcube#9347)
2a9b85e
@johndoh
Add set-unread-count JS event on unread message count change (roundcu…
5a05eb8 
…be#9344)
@johndoh
Add JS events to message_list_hover_menu functions (roundcube#9362)
a416c0b
@alecpl
Fix fatal error when http_client option is undefined (roundcube#9358)
6293e64
@alecpl
Remove redundant code
949bfc5
@alecpl
Fix PHP8 warnings (roundcube#9363)
4415570
@mvorisek
Improve phpstan rules (roundcube#9353)
638f2d2 
* enable phpstan bleading edge

* gen baseline using CI

* Revert "gen baseline using CI"

* fix baseline

* enable phpstan strict rules

* gen baseline using CI

* Revert "gen baseline using CI"
@alecpl
Fix attachment name decoding when 'charset' parameter exists in the h…
18acf5a 
…eaders (roundcube#9376)
@alecpl
Fix some phpstan errors
e814577
@alecpl
Fix phpstan errors
84e7490
@alecpl
Code style improvements
f0ace1c
@alecpl
CS fixes
882c70a
@alecpl
Code improvements
2fc0f5c
@alecpl
Code improvements
864a48b
@alecpl
Code improvements in the spellchecker classes
32adc42
@alecpl
Code improvements
5cfacb9
@alecpl
CS fix
545d1f6
@alecpl
Enigma: Code improvements
2d4bdae
@alecpl
CS fixes
526951a
@alecpl
Code improvements
7ad1316
@alecpl
Code improvements
26587c0
@alecpl
Code improvements
4aa2309
@alecpl
PHPStan: Allow variable variables for now
b11f5d1
pabzm added 21 commits September 5, 2024 14:41
@pabzm
Allow to run event-listener-attacher for given root element
1b66ea6 
This allows to call it on specific elements only, e.g. after they've
been inserted late to the DOM.
@pabzm
Fix subscription toggle of newly created folders
b461821
@pabzm
De-inline program/include
4ba9c22
@pabzm
Move rcube_webmail static methods to instance
f02627f 
There's no apparent reason for them to be static, and no explanation,
but as instance methods they are directly callable from the de-inlined
event-handlers and we save some helper methods, which is good.
@pabzm
fixup: de-inline program/actions
fce17ab
@pabzm
fixup de-inline actions
2bb82ca
@pabzm
De-inline skins/elastic
74543f0
@pabzm
fixup de-inline program/include
80b05b1
@pabzm
WIP: Send strict CSP (strict for JS)
b6f0284
@pabzm
De-eval HTTP response handling
64f3866
@pabzm
WIP: TODO comment
e5f5aec
@pabzm
Fix log statement
8db5115
@pabzm
json_encode in html class
50f4a53 
This make it easier for the calling code.
@pabzm
Remove useless call
fb7ae07
@pabzm
De-inline app.js, part 1
3d94dc7
@pabzm
Fix image upload
a4f1dcb 
Have to repeat attaching event handlers after a clone().
@pabzm
Hand around Nodes instead of using innerHTML
42ff18b 
This allows to strip 'unsafe-eval' from the CSP.
@pabzm
Use jQuery event setters and helpers to get rid of innerHTML
debc2ad
@pabzm
innerText is enough here, don't need innerHTML
76b9e25 
innerHTML requires 'unsafe-eval' in the CSP, while innerText doesn't.
@pabzm
Re-add lost preventDefault
9916939 
If the last argument to a data-on* attribute is an object (associative
array in PHP), it is used as options, which allow to specify if
preventDefault() should be called on the event.
This is relevant for some parts of the code and got lost in previous
changes.
@pabzm
WIP: Use jQuery to attach event-handlers based on attributes
b737876
@pabzm pabzm force-pushed the extract-inline-js branch from 72cfd49 to fedc7d2 Compare September 5, 2024 12:41
@pabzm
Copy link
Member Author

pabzm commented Sep 5, 2024

(Rebased to latest of "master")

@pabzm pabzm mentioned this pull request Sep 16, 2024
Closed
2 tasks
@pabzm
Copy link
Member Author

pabzm commented Oct 30, 2024

@alecpl I would really appreciate if you would take the time to reply again on this topic. Just getting the ball dropped is a pretty frustrating collaboration experience.

@pabzm pabzm linked an issue Nov 5, 2024 that may be closed by this pull request
Support CSP nonces in message frames so that unsafe-inline isn't required. #6281
Open
@alecpl
Copy link
Member

alecpl commented Nov 19, 2024

I'll need more time. Maybe @johndoh have some thoughts on this.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 4, 2024

@pabzm, @alecpl
🛎️ This PR has had no activity in two weeks.

@pabzm pabzm force-pushed the extract-inline-js branch from fedc7d2 to b737876 Compare February 20, 2025 10:05
@pabzm pabzm marked this pull request as draft February 20, 2025 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alecpl alecpl alecpl requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@pabzm pabzm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support CSP nonces in message frames so that unsafe-inline isn't required.