Firefox logs CSP warning on items containing TableOfContents macro

[RogerHaase]

No other browsers (tested Firefox, Edge, Chrome, Opera on Windows 10) logged a similar CSP warning.

Firefox log shows warning similar to:

2025-08-10 13:31:32,030 WARNING moin.apps.frontend.views:305 127.0.0.1 application/csp-report: 
{
'blocked-uri': 'inline',
'column-number': 1, 
'disposition': 'report', 
'document-uri': 'http://127.0.0.1:5000/Home', 
'effective-directive': 'script-src-attr', 
'original-policy': "
    default-src 'self'; 
    script-src 'self'; 
    style-src 'self'; 
    img-src 'self'; 
    report-uri http://127.0.0.1:5000/+cspreport/log
", 
'referrer': 'http://127.0.0.1:5000/Home', 
'source-file': 'http://127.0.0.1:5000/Home', 
'status-code': 200, 
'violated-directive': 'script-src-attr'
}

The warning is generated by html_out.py near line 754:

            headtogglelink = html.a(
                attrib={
                    html.class_: "moin-showhide",
                    html.href_: "#",
                    html.onclick_: "$('.moin-table-of-contents ol').toggle();return false;",
                },
                children=["[+]"],
            )

and near line 793:

                togglelink = html.a(
                    attrib={
                        html.href_: "#",
                        html.onclick_: f"$('#li{id} ol').toggle();return false;",
                        html.class_: "moin-showhide",
                    },
                    children=["[+]"],
                )

Firefox objects to use of html.onclick.

[RogerHaase]

The intended benefit of the above code is to put [+] targets in the table of contents macro such that the users can click on the target and hide a portion the TOC. This feature is not available in moin 1.9x.

  Contents[+]
    Moin Wiki Macros[+]
        Four Built-in Macros[+]
            TableOfContents
            FootNotes
            BR - Forced Line Break
            Include
    Level 1 on the included page[+]
        Level 2 on the included page
        Extension Macros from MoinMoin/macro/[+]
            Anchor
            Date
            DateTime
            FontAwesome
           << snip >>

I am thinking that the TOC show/hide feature is more of an annoyance than a feature and we should just delete it rather than fix it.

Any objections?

[UlrichB22]

I think it's good to be able to toggle the visibility of the entire TOC. I tried to add an existing JS function from common.js such as moin-viewoptions, but I couldn't get it to work in the short time.

IMO, the function is not necessary for every entry in the table of contents.

It's fine for me to remove the entire feature for now. It can be added later using JS script.

[RogerHaase]

Agree, 1 toggle link for whole TOC would be better.

[roland-ruedenauer]

This patch should fix the issue:

diff --git a/src/moin/converters/html_out.py b/src/moin/converters/html_out.py
index 29568ae4..321639d2 100644
--- a/src/moin/converters/html_out.py
+++ b/src/moin/converters/html_out.py
@@ -754,8 +754,7 @@ class ConverterPage(Converter):
                 headtogglelink = html.a(
                     attrib={
                         html.class_: "moin-showhide",
-                        html.href_: "#",
-                        html.onclick_: "$('.moin-table-of-contents ol').toggle();return false;",
+                        html.href_: "#"
                     },
                     children=["[+]"],
                 )
@@ -793,7 +792,6 @@ class ConverterPage(Converter):
                     togglelink = html.a(
                         attrib={
                             html.href_: "#",
-                            html.onclick_: f"$('#li{id} ol').toggle();return false;",
                             html.class_: "moin-showhide",
                         },
                         children=["[+]"],
diff --git a/src/moin/static/js/common.js b/src/moin/static/js/common.js
index 5176bdf3..bcb94a38 100644
--- a/src/moin/static/js/common.js
+++ b/src/moin/static/js/common.js
@@ -920,5 +920,14 @@ $(document).ready(function () {
     // placing initToggleComments after enhanceEdit prevents odd autoscroll issue when editing hidden comments
     moin.initToggleComments();
 
+    $('.moin-table-of-contents .moin-showhide').on('click', function (event) {
+        event.preventDefault();
+        var parent = $(this).parent();
+        if ($(parent).is('.moin-table-of-contents-heading')) {
+            parent = $(parent).parent();
+        }
+        $(parent).find('ol:first-of-type').toggle();
+    });
+
     moin.restoreFlashMessages();
 });