alt Hacker News> Similarly, why is an online event handler considered a security risk? I just don’t see the difference between that and using a named function?
It is a vector for script injection, and should be disallowed with a strong CSP (no “unsafe-inline”).
> Similarly, why is an online event handler considered a security risk? I just don’t see the difference between that and using a named function?
It is a vector for script injection, and should be disallowed with a strong CSP (no “unsafe-inline”).
Isn’t that only the case when the inline code uses untrusted user data somehow?
Inline: alert(“Hello “+userInput) is problematic.
Inline: alert(“Hello there”) isn’t, right?