Removal of inline scripts to make it easier to implement strict CSP against XSS attacks

[LDSamson]

For example, every bslib::card() will create some inline javascript, calling bslib.Card.initializeAllCards() (see below). Would it be possible to move this function call to an external JS file and calling it with something like <script src=''></script> instead?

Removing as many inline scripts as possible would make it easier to set a strict Content Security Policy when serving a shiny application, and setting such a policy greatly improves security against XSS attacks. I am not sure if this is possible, but I thought it is worth a try to ask.

cat(format(bslib::card()))

<div class="card bslib-card bslib-mb-spacing html-fill-item html-fill-container" data-bslib-card-init data-require-bs-caller="card()" data-require-bs-version="5">
  <script data-bslib-card-init>bslib.Card.initializeAllCards();</script>
</div>

[gadenbuie]

There are a few other options we've explored, with the top candidate being rewriting cards and sidebars as Custom Elements or Web Components. If we were implementing them again today, this would certainly be our first choice. Some work has been done in this direction in #1009, but unfortunately we haven't had the time to take this on. It's definitely on our radar and we appreciate you bringing it up!