Enable processing of HTML event handler attributes in JAVASCRIPT template mode #707
Description
HTML event handler attributes (th:on*) such as:
<a th:onclick="...">...could benefit from their values being considered inlined javascript blocks just like the bodies of <script th:inline="javascript"> tags. This would allow its contents be applied all the features, including security benefits, made available by Thymeleaf to inlined JavaScript code (including JavaScript-text-literal escaping).
So such an event handler could now be written as:
<a th:onclick="doSomething([[${textdata}]]);">And the code above, if textdata has the value One "JavaScript" message will result in, first, the textdata variable being output as a JavaScript literal (and therefore escaped) as "One \"JavaScript\" message", and then the whole value of the HTML attribute being HTML-escaped as expected:
<a onclick="doSomething("One \"JavaScript\" message");">Note this new feature will alleaviate the restriction on the evaluation of variables in these handlers imposed by means of #705, while protecting from unintented output of JavaScript-unescaped data that might not be trustable.