webao/webAO/dom-events.ts, branch master WebAO fork CSP hardening: remove inline scripts 2026-06-06T03:09:27+00:00 Osmium Sorcerer os@sof.beauty 2026-06-06T02:07:05+00:00 e0ce108e0806d18353ad85125b2b5f1b1c67e07d The next layer after input validaton to achive the paranoid levels of security. Remove all event handlers inside HTML attributes and add them in TS for each element, allowing `script-src 'self'` to be used as a CSP directive. Buttons that passed some value and had a shared function went into a global listener with data-action attribute, while all the individual elements received their own event listener. This is a mess, but my goal was to end up as close as I could to one-to-one translation of how functions were originally attached to elements. 
The next layer after input validaton to achive the paranoid levels of
security. Remove all event handlers inside HTML attributes and add them
in TS for each element, allowing `script-src 'self'` to be used as a CSP
directive.

Buttons that passed some value and had a shared function went into
a global listener with data-action attribute, while all the individual
elements received their own event listener. This is a mess, but my goal
was to end up as close as I could to one-to-one translation of how
functions were originally attached to elements.