Why are inline event handler attributes a bad idea in modern semantic HTML?
Is inline event handlers considered a bad practice?
For example: <button onclick=someFunction()>Click me!</button>
If so, what are the disadvantages of using inline event handlers?
Solution 1:
It's a bad idea because...
-
Best practice suggests a clear split between content, style and script. Muddying your HTML with inline JavaScript (or CSS) is not consistent with this.
-
You can bind only one event of each kind with
on*
-style events , so you can't have twoonclick
event handlers, for example. -
If an event is specified inline, the JS is specified as a string (attribute values are always strings) and evaluated when the event fires. Evaluation is evil.
-
You are faced with having to reference named functions. This is not always ideal (event handlers normally take anonymous functions) and has implications on the function needing to be globally accessible
-
Your content security policy (CSP) will have to be (unwisely) expanded to allow evaluated inline JavaScript.
In short, handle events centrally via the dedicated addEventListener
API, or via jQuery or something.
[2021 Edit]
These days, reactive frameworks have somewhat reversed this trend; events in reactive frameworks are normally specified as attributes e.g. in Vue:
<p v-on:click=foo>Hello</p>
...where foo
is a method of the current component's data object.
Solution 2:
Aside from semantics and other opinions expressed in the accepted answer, all inline scripts are considered a vulnerability and high security risk. Any website expecting to run on modern browsers are expected to set the 'Content-Security-Policy' (CSP) property, either via meta attribute or headers.
Doing so is incompatible with all inline script and styles unless explicitly allowing these as an exclusion. While CSP goals are mainly about preventing persistent cross-site script (xss) threats, for which inline scripts and styles are a vector of xss, it is not default behaviour currently in browsers but may change in future.
Solution 3:
Building on @Mitya answer.
In most of the modern JS libraries React, Vue,..etc. inline event handlers are considered idiomatic, but most of the limitation mentioned by @Mitya are gone. As case study we will have look over Vuejs and compare it with point listed above:
- You can have more than one event-handler, look here
- Event values (handlers) such as
onclick
are not plain string but js expressions look here - Global Scope problem simply does not exist (because your code will get translated minifed, repackaged by tools such as webpack or other).
In my own opinion, inline event handler enhance readability majorly, but opinions may vary.