onclick attribute not allowed with CSP unless unsafe-inline used

`RequestCollector` and `RouteCollector` both add the `onclick` attribute to the `<a>` tags for XDebug links.  When using a Content Security Policy (CSP) the JavaScript in those attributes will be blocked from executing unless `unsafe-inline` is enabled in the policy.