From e0ce108e0806d18353ad85125b2b5f1b1c67e07d Mon Sep 17 00:00:00 2001
From: Osmium Sorcerer <os@sof.beauty>
Date: Sat, 6 Jun 2026 02:07:05 +0000
Subject: CSP hardening: remove inline scripts

The next layer after input validaton to achive the paranoid levels of
security. Remove all event handlers inside HTML attributes and add them
in TS for each element, allowing `script-src 'self'` to be used as a CSP
directive.

Buttons that passed some value and had a shared function went into
a global listener with data-action attribute, while all the individual
elements received their own event listener. This is a mess, but my goal
was to end up as close as I could to one-to-one translation of how
functions were originally attached to elements.
---
 webAO/client.ts | 1 +
 1 file changed, 1 insertion(+)

(limited to 'webAO/client.ts')

diff --git a/webAO/client.ts b/webAO/client.ts
index f013f0a..7ad885f 100644
--- a/webAO/client.ts
+++ b/webAO/client.ts
@@ -23,6 +23,7 @@ import {
 } from "./client/fetchLists";
 import { ExMsgType, handleRegisterCredential, handleAssertCredential, AuthState } from "./ext_packet"
 import { initWebAuthn } from "./auth"
+import "./dom-events"
 const { ip: serverIP, connect, mode, theme, serverName, char: autoChar, area: autoArea } = queryParser();
 export { autoChar, autoArea };
 
-- 
cgit