FAQ-001132 - Lightning Web Components and JavaScript Security / Inline JavaScript and Code Placement

**What Constitutes Inline JavaScript:** Inline JavaScript that's prohibited in Lightning Web Components includes any JavaScript code written directly within HTML attributes or tags, such as: - `onclick="someFunction()"` - `onmouseover="alert('Hello!')"` - Similar event handlers like `onmouseover` This type of JavaScript is not permitted in LWC because it bypasses the framework's security mechanisms and can lead to vulnerabilities like cross-site scripting (XSS). **How to Identify the Source:** To identify the source of the "Inline JavaScript not permitted" issue during an AppExchange security review: 1. **Review Your Code**: Check that no JavaScript is directly embedded within the HTML or component templates. Inline event handlers are not allowed. 2. **Use JavaScript Files**: Ensure all JavaScript is included in the component's JavaScript file or loaded from static resources. 3. **Sanitize Dynamic Content**: Verify that any dynamic content is properly sanitized and that attributes like `href` or `src` are validated and encoded. 4. **Avoid Third-Party Scripts**: Ensure no third-party scripts are dynamically loaded unless they comply with Salesforce's security guidelines. **Proper Approach:** Instead of inline JavaScript, you should define event handlers in the component's JavaScript file and bind them programmatically to the HTML elements. By carefully reviewing these areas, you can pinpoint and resolve the issue.