security: fix inline scripts

themes/freemind/layout/_widget/search.ejs

@@ -12,10 +12,6 @@
   <div id="local-search-result"></div>
   </div>
 
-  <script type="text/javascript" id="local.search.active">
-    var inputArea       = document.querySelector("#local-search-input");
-    inputArea.onclick   = function(){ getSearchFile("<%- url_for('./search.xml') %>"); this.onclick = null }
-    inputArea.onkeydown = function(){ if(event.keyCode == 13) return false }
-    </script>
+  <script src="<%- url_for('./js/active_search.js') %>"> async</script>
     
 <% } %>

themes/freemind/source/js/active_search.js

@@ -0,0 +1,4 @@
+id="local.search.active"
+var inputArea       = document.querySelector("#local-search-input");
+inputArea.onclick   = function(){ getSearchFile("search.xml"); this.onclick = null }
+inputArea.onkeydown = function(){ if(event.keyCode == 13) return false }