Remov inline JS for initializing search, put in external JS file. (!31) · Merge requests · F-Droid / Jekyll Plugin

Peter Serwylo requested to merge pserwylo/jekyll-fdroid:remove-inline-js into master Jan 09, 2018

The JS was previously inline, so it had access to Jekyll/Liquid variables such as the unique identifier of the search input wrapper. Now that it is no longer inline, it doesn't have access to those, so such variables have been put into data-* attributes to be queried via JS later.

Turns out that the other inline script with type="x-tmpl-mustache" doesn't violate the CSP which is handy.

Note that there is a slim possibility that someone can add a <script type="x-tmpl-mustache"> template to their app description, and it may take end up being rendered by the site. However this is extremely unlikely, because they'd need to correctly guess both a random number and the timestamp that a repository was last updated, and that will change every time the site is rendered. It will also be avoided if we get around to properly sanitizing descriptions and other data from app developers, so that it doesn't include <script> tags.

Remov inline JS for initializing search, put in external JS file.

Merge request reports