Convert onclick scripts event listeners

[samuelhwilliams]

There are a number of onclick attributes that have inline javascript: https://github.com/search?q=repo%3Apallets-eco%2Fflask-admin%20onclick&type=code

These don't support CSP nonces and so may be blocked in applications that apply strict CSP rules.

We should migrate all of the onclick attributes to event listeners set up in some JS files.

See also "Refactor inline event handlers and javascript: URIs" of https://csp.withgoogle.com/docs/adopting-csp.html

[samialfattani]

what about those tags with javascript:void(0) , for example

<a href="javascript:void(0)" value="{{ _gettext('Are you sure you want to delete this record?') }}" class="inline-remove-field"><i class="fa fa-times glyphicon glyphicon-remove"></i></a>

do we need to change them as well ?

I think it is also harm the CSP somehow, i think we need to replace them with event.preventDefault();. But if we removed javascript:void(0) then it will change the style of those buttons. i'm not so sure if we can restyle it with :

a:hover {
    cursor: pointer;
}