Fix CSP blocking inline handlers - add unsafe-inline fallback

- Refactored TicketView.php to use event listeners instead of onclick
- Added unsafe-inline to CSP as fallback for legacy handlers in other views
- TODO: Complete refactoring of DashboardView and admin views

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

middleware/SecurityHeadersMiddleware.php

@@ -26,8 +26,10 @@ class SecurityHeadersMiddleware {
         $nonce = self::getNonce();
 
         // Content Security Policy - restricts where resources can be loaded from
-        // Using nonce for inline scripts instead of unsafe-inline for better security
-        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
+        // Nonces are used for <script> tags, but 'unsafe-inline' is needed for legacy onclick handlers
+        // TODO: Refactor all inline event handlers (onclick, etc.) to use addEventListener,
+        //       then remove 'unsafe-inline' from script-src for full CSP protection
+        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
 
         // Prevent clickjacking by disallowing framing
         header("X-Frame-Options: DENY");