Remove inline script injection

Inline script are bad, since it can lead to all sorts of nasty things.

Plus it makes CSP harder to configure safely.

A safer way is to use data-attributes to store/fetch values.

Fixes #83

assets/order_entries.publish.js

@@ -7,18 +7,26 @@
 	});
 
 	Symphony.Extensions.OrderEntries = function() {
-		var table, fieldId,	direction, oldSorting, newSorting, startValue, filters;
+		var table, fieldId, direction, oldSorting, newSorting, startValue, filters;
 
 		var init = function() {
+			var form = Symphony.Elements.contents.find('form');
 			table = Symphony.Elements.contents.find('table');
 			fieldId = table.attr('data-order-entries-id');
 			direction = table.attr('data-order-entries-direction');
-			filters = Symphony.Context.get('env').filters;
+			filters = form.attr('data-order-entries-filter');
+			var maxRows = parseInt(form.attr('data-order-entries-pagination-max-rows'), 10) || 1;
+			var currentPage = parseInt(form.attr('data-order-entries-pagination-current'), 10) || 1;
 
 			// convert filters into a query string
 			if (filters){
-				filters = {"filters":filters};
-				filters = '&' + $.param(filters)
+				try {
+					filters = '&' + $.param({
+						filters: JSON.parse(filters)
+					});
+				} catch (ex) {
+					filters = '';
+				}
 			} else {
 				filters = '';
 			}
@@ -27,7 +35,7 @@
 			Symphony.Elements.breadcrumbs.append('<p class="inactive"><span>– ' + Symphony.Language.get('drag to reorder') + '</span></p>');
 
 			// Force manual sorting
-			if(table.is('[data-order-entries-force]')) {
+			if (table.is('[data-order-entries-force]')) {
 				table.find('th:not(.field-order_entries)').each(disableSortingModes);
 			}
 
@@ -44,7 +52,7 @@
 			} else {
 				startValue = parseInt(table.find('tbody tr').eq(0).data('order'),10);
 			}
-			var assumedStartValue = Symphony.Context.get('env').pagination['max-rows'] * (Symphony.Context.get('env').pagination['current'] - 1) + 1;
+			var assumedStartValue = maxRows * (currentPage - 1) + 1;
 			if (startValue == 0 || direction == 'asc' && startValue < assumedStartValue) {
 				startValue = assumedStartValue;
 			}

extension.driver.php

@@ -173,14 +173,6 @@ public function adjustTable($context) {
 		 * Add components for manual entry ordering
 		 */
 		public function addComponents() {
-
-			// get pagination data
-			$pagination = array(
-				'max-rows' => Symphony::Configuration()->get('pagination_maximum_rows', 'symphony'),
-				'current' => (isset($_REQUEST['pg']) && is_numeric($_REQUEST['pg']) ? max(1, intval($_REQUEST['pg'])) : 1)
-			);
-
-
 			// get filter data
 			$filters = $_REQUEST['filter'];
 			if (is_array($filters)){
@@ -190,16 +182,18 @@ public function addComponents() {
 				}
 			}
 
-			// add pagination and filter data into symphony context if Symphony does not provide it
-			Administration::instance()->Page->addElementToHead(
-				new XMLElement(
-					'script', 
-					'if (! Symphony.Context.get(\'env\').pagination) Symphony.Context.get(\'env\').pagination='.json_encode($pagination).';' .
-					'if (! Symphony.Context.get(\'env\').filters) Symphony.Context.get(\'env\').filters='.json_encode($generatedFilters).';'
-					, array(
-						'type' => 'text/javascript'
-					)
-				)
+			// add pagination and filter data on the form element
+			Administration::instance()->Page->Form->setAttribute(
+				'data-order-entries-filter',
+				empty($generatedFilters) ? '' : json_encode($generatedFilters)
+			);
+			Administration::instance()->Page->Form->setAttribute(
+				'data-order-entries-pagination-max-rows',
+				Symphony::Configuration()->get('pagination_maximum_rows', 'symphony')
+			);
+			Administration::instance()->Page->Form->setAttribute(
+				'data-order-entries-pagination-current',
+				(isset($_REQUEST['pg']) && is_numeric($_REQUEST['pg']) ? max(1, intval($_REQUEST['pg'])) : 1)
 			);
 
 			Administration::instance()->Page->addScriptToHead(