Don't use inline script
https://thalia.nu/thabloid/ uses an inline script for a click handler, inline scripts should not be used as they are unsafe.
The Content-Security-Policy should block inline scripts, so the remaining inline scripts should be removed.
To upload designs, you'll need to enable LFS. More information