This is an archive of the discontinued Mercurial Phabricator instance.

paper: don't register click handlers with inline javascript (issue5812)
ClosedPublic

Authored by indygreg on May 2 2018, 10:16 PM.

Details

Summary

The use of inline href="javascript:" undermines CSP policies that
don't allow inline javascript.

This commit changes the registering of the diffstat and line wrapping
toggle handlers to the the global DOMContentLoaded handler, thus
eliminating all inline javascript from the paper template.

Diff Detail

Repository
rHG Mercurial
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

indygreg created this revision.May 2 2018, 10:16 PM
krbullock accepted this revision.May 2 2018, 10:21 PM
krbullock added a subscriber: krbullock.

Queued, thanks.

This revision is now accepted and ready to land.May 2 2018, 10:21 PM
This revision was automatically updated to reflect the committed changes.
yuja added a subscriber: yuja.May 2 2018, 11:45 PM

Maybe needs href="#" to make it look like a link?

In D3437#54736, @yuja wrote:

Maybe needs href="#" to make it look like a link?

Good catch. I submitted a follow-up at D3438. Feel free to roll into this one on hg-committed if it looks good to you.