alt Hacker NewsWhy is this so weirdly prescriptive about inline event handlers?
> Even in a single file, inline event handlers are not a good idea. One button is OK, but what if you had 100 buttons? You'd have to add 100 attributes to the file; it would quickly turn into a maintenance nightmare.
> You should never use the HTML event handler attributes — those are outdated, and using them is bad practice.
It’s a really good explanatory text, and then get surprisingly opinionated.
Similarly, why is an online event handler considered a security risk? I just don’t see the difference between that and using a named function?
Replies
> Similarly, why is an online event handler considered a security risk? I just don’t see the difference between that and using a named function?
It is a vector for script injection, and should be disallowed with a strong CSP (no “unsafe-inline”).
Inline handlers could execute trusted code without user input but in a way that was unintended like this button that hijacks a method of a trusted library and disguises it behind a like button:
This should be sanitized when the button html is injected into the DOM but CSP provides complementary protection, [1], if sanitizing fails.[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP...
edited: tried to fix formatting