Remove inline scripts

[core23]

For many reasons, we should remove all scripts from the templates. We could replace them with data listerns like in the page bundle: sonata-project/SonataPageBundle#562.

General

Inline scripts couldn't be cached and would pollute the html output.

Security

There is also a security bundle which introduces some interesting information about security. You could completly disable inline script via a http header to reduce possible XSS attacks.

For more information: http://www.w3.org/TR/CSP/

Todo

The following files contains inline scripts and should be removed in the next major release, because this is a BC break.

• https://github.com/sonata-project/SonataAdminBundle/blob/master/Resources/views/standard_layout.html.twig
• https://github.com/sonata-project/SonataAdminBundle/blob/master/Resources/views/CRUD/base_history.html.twig
• https://github.com/sonata-project/SonataAdminBundle/blob/master/Resources/views/Form/Type/sonata_type_model_autocomplete.html.twig
• https://github.com/sonata-project/SonataAdminBundle/blob/master/Resources/views/Form/form_admin_fields.html.twig
• https://github.com/sonata-project/SonataAdminBundle/blob/master/Resources/views/CRUD/base_list.html.twig

Refs #2911

[greg0ire]

Can you close duplicates of this?

[jordisala1991]

There is an orm linked issue containing more scripts that were moved from orm to admin

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[fliespl]

How about to keep BC just utilize csp nonce functionality?

I.e. utilize <script nonce="{{ csp_nonce('script') }}"> from nelmio security bundle and fallback to own one?

Also - inline scripts/styles are not the only ones that should be taken care of.

I.e. highly secure setups require also no unsafe-inline usage which means that style="width: XXXpx" tags are also forbidden.

[VincentLanglet]

Closing in favor of #7158