Remove inline scripts from views and migrate to Stimulus controllers for CSP compliance

[antopalidi]

🎩 What? Why?

Remove all executable inline JavaScript from views, cells, and helpers to prepare for CSP hardening.

• Moves all inline <script> blocks from views and cells to Stimulus controllers
• Replaces <script type="text/template"> with HTML <template> elements
• Removes jquery-tmpl vendor dependency (source of unsafe-eval requirement)
• Migrates Decidim.config initialization to inert <script type="application/json"> blocks with hydration from external JS
• Removes all inline event handlers (onclick, onchange) from views and Ruby helpers
• Updates dynamic_fields.component.js to work with <template> elements instead of <script type="text/template">
• Replaces map marker popup rendering with native DOM API instead of jquery-tmpl
• Fixes HTML escaping in map marker popups: state labels (Evaluating, Accepted, etc.) now render as styled badges instead of raw HTML text

📌 Related Issues

• Related to Content Security Policy directive - unsafe-inline - SECURITY #16088

Testing

Describe the best way to test or validate your PR.

♥️ Thank you!

💰 Funding
This action is funded by Pokecode as an offering to the Decidim Association following the partners' meeting held on March 20th at Pokecode's request. This action is independent of Pokecode's partner fees. It is an offering of technical resources at zero cost as a show of support for the Decidim Association at a time when they have fewer technical resources available

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f78d623a-1f0d-489b-b63b-33e28e65e028

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch change/csp-inline-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

This pull request does not contain a valid label. Please add one of the following labels: ['type: feature', 'type: change', 'type: fix', 'type: removal', 'target: developer-experience', 'type: internal']

[alecslupu]

@antopalidi This PR becomes too large, and it will be hard to review / work on.

When we migrated the fist stimuls controllers we did the following:

1. Feature branch PR
2. Atomic PRs in in the feature branch (this way we can track that x, y controller is being used in a,b place )
3. Try to add some kind of header description for controller like we did in #16157
4. Also, we need some specs.

Have a look on what we have done on:

• #15045
• #15064

[alecslupu]

This should not be a controller. Check if you can add it in the entrypoint.

[alecslupu]

This should not be a controller. Check if you can add it in the entrypoint.

[alecslupu]

I do not understand this.

[andreslucena]

@antopalidi please do provide a separate PR for each checkbox (or even in the case of the Moves all inline <script> blocks from views and cells to Stimulus controllers you can do this in a module by module basis). If not this will be a pain to review and possible we will miss some details in the process. Thanks!

[paarals]

@antopalidi please do provide a separate PR for each checkbox (or even in the case of the Moves all inline <script> blocks from views and cells to Stimulus controllers you can do this in a module by module basis). If not this will be a pain to review and possible we will miss some details in the process. Thanks!

@andreslucena i think tomorrow you'll have a meeting together. please, can you write the agreements after that? or @microstudi @alecslupu