The actual question appears to be about the use of the onclick attribute vs a fully-fledge event listener. I’m not sure where preventDefault() and stopPropagation() come into it. I’m very confused.
On the original question: the use of the onclick attribute is generally frowned upon as a security risk since it requires the definition of a string which is then parsed into javascript. Depending where this string came from, it is a potential means of injecting malware. At one extreme, if the attribute is hard-coded, for example in an xul file, then it is relatively safe, but adding one in javascript, and most especially constructing one out of other strings, is risky and would be rejected by a reviewer. A second disadvantage is that setting an onclick attribute from javascript risks overwriting one that has been set in the html or by other javascript.
The safe way to add an event listener using javascript is to use addEventListener(). addEventListener() can accept a function or an object implementing the eventListener interface as its second parameter. The eventListener interface simply requires a handleEvent() method. For example:
element.addEventListener(“click”, function() { do anything you want here, except use eval() });
element.addEventListener(“click”, {handleEvent() : function(event) { your function here });
Of course you wouldn’t normally use an anonymous object inline like this, but would have a static object used to handle many different events. It can even be an object used for other purposes such as a wrapper for many functions, so long as one of them is called handleEvent.