[JENKINS-72136] Remove inline onclick handlers for generate directive button

[NeetigyaPod]

• JENKINS issue(s):
  • https://issues.jenkins.io/browse/JENKINS-72136
• Description:
  • Inline handlers were showing in console. Used the recommendations given in the issue.
• Documentation changes:
  • There is no feature change but just a minor change for security reasons.
• Users/aliases to notify:
  • n/a

Testing:
Screenshots:
Before:

After:

mvn tests run and changes appear in mvn:hpi run

[Kevin-CB]

I tested your changes locally, with the CSP plugins, and it works fine!
I'm not able to see the previous CSP violations!

[NeetigyaPod]

Hi, that's great. Sorry for the extra spaces. Will take care in future contributions.

[NeetigyaPod]

Hi @Kevin-CB can we merge this before end of October? I would like it to be a part of my hacktoberfest contribution.

[Kevin-CB]

Hi @NeetigyaPod, even though I approved this PR, I can't merge it as I'm not a maintainer of this plugin.

[NeetigyaPod]

@jglick Can you please help me in this? Would appreciate a lot

[jglick]

likely needs to be revisited in another PR

[NeetigyaPod]

Can be done. Will work on it after this one

[jglick]

Could probably get rid of the generateId trick now, by having the button look for a sibling textarea.

[NeetigyaPod]

Sibling in the sense- I can allocate a similar class name to the text area and remove all the mentions of the id variable?

[jglick]

Would have to look up some example, since I do not normally work on JS at all, but IIRC the point is that now that the behavior function is passed an element it would be able to use that argument to perform operations without a (unique) ID—either directly on the element in the argument, or on some sibling in the DOM.

In other words: when using inline <script> with a Jelly facet that might be included multiple times on a page, like the config snippet for a build step in a freestyle project config screen, you have the problem that

<body>
  <!-- first occurrence -->
  <div>
    <button onclick="handle()"/>
    <textarea id="spot"/>
    <script>
      function handle() {
        document.getElementById('spot').text = 'handled';
      }
    </script>
  </div>
</body>

will not work as soon as you add a second <div> with the same content: clicking either button will update the same textarea, perhaps the wrong one. generateId used to be used as a workaround:

<body>
  <!-- first occurrence -->
  <div>
    <j:set var="id" value="${h.generateId()}"/>
    <button onclick="handle()"/>
    <textarea id="spot-${id}"/>
    <script>
      function handle() {
        document.getElementById('spot-${id}').text = 'handled';
      }
    </script>
  </div>
</body>

When switching to a proper adjunct, you do not need this trick since

<body>
  <!-- first occurrence -->
  <div>
    <button class="mybutton"/>
    <textarea/>
    <st:adjunct …/>
  </div>
</body>

function handle(button) {
  button.getSiblingByType('textarea').text = 'handled';
}

will work regardless of how many copies there are. (All code above is pseudocode, actual method names etc. are going to be a bit different.)

Of course in many cases the Jelly fragment could never be included more than once in a page because of what it is for, so whether a unique id was even needed here to begin with, I am unsure; it may have been included “just in case”.

[NeetigyaPod]

Ohhhh makes sense. Thank you, will treat it as nit for future contributions in Jenkins.

[jglick]

@Kevin-CB have you retested after the latest changes?

[Kevin-CB]

have you retested after the latest changes?

Yes, last time I tested, it was on f18663b

[jglick]

Looks OK at a glance (relying on other reviewers for details & testing).