Desktop wiki editor toolbar relies on 11 inline onclick handlers that break under the planned nonce-CSP

Area: mobieusKnow (audit p6) · Surface: mobieusKnow desktop editor formatting toolbar · Dimension: law-1-polish · Severity: minor

The toolbar works today because the active CSP still allows 'unsafe-inline' for scripts, but the project ships a Report-Only nonce-based CSP it plans to enforce. When that happens, every onclick on these toolbar buttons silently stops firing and the formatting toolbar dies, while the AI menu and image-upload logic (which are already nonce'd addEventListener handlers in the same file) keep working. This is latent breakage and an inconsistency within one file.

Evidence

editor.php:141-153 — eleven <button … onclick="wrapSel(...)" / onclick="ins(...)"> handlers. bootstrap.php:547 enforced CSP includes 'unsafe-inline' (so they work today) but the Report-Only CSP at bootstrap.php:587 swaps to 'nonce-…' with NO 'unsafe-inline', and templates/CLAUDE.md states the intent to tighten CSP. Inline event-handler attributes cannot carry a nonce.

Suggested fix. Convert the toolbar to delegated addEventListener handlers inside the existing nonce'd <script> block (give each button a data-md-action attribute and bind by closest('[data-md-action]')), matching how the mobile toolbar (mobile/knowledge/editor.php) and the rest of this editor already do it.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.