I was able to have it working by using this approach

<body>

<script th:inline="javascript">
    /*<![CDATA[*/

    var flag = [[${timerEnabled}]]; // if timer should be included or not
    var timeRemaining = [[${timeRemaining}]]; // the time remaining.
    window.onload = function() {
        if(!flag)
            return; // Exit/Return if the variable is false
        runTimer(timeRemaining); // Call your favourite method if the variable is true
    };

    /*]]>*/
</script>

Any other approach such as suggested in the exception is appreciated.

Since Thymeleaf 3.0.10 they fixed a security-bug regarding unescaped code.

Try

<body th:onload="[[${timerEnabled}]] ? 'javascript:runTimer(\'' + 
[[${timeRemaining}]] + '\');'">

Or the recommended way:

<body th:data1="${timerEnabled}"
  th:data2="${timeRemaining}"
    th:onload="this.getAttribute('data1') ? javascript:runTimer(this.getAttribute('data2'));">

To read more: https://github.com/thymeleaf/thymeleaf/issues/707 And: http://forum.thymeleaf.org/Thymeleaf-3-0-10-JUST-PUBLISHED-tt4031348.html#a4031353

Try it this way.

<body th:onload="${timerEnabled eq true} ? 'javascript:runTimer(\'' + ${timeRemaining} + '\');'">

If it doesn't work, you can also try using th:if.

<th:block th:if="${timerEnabled} eq true">
    <body th:onload="javascript:runTimer(\'' + ${timeRemaining} + '\');'">
    </body>
</th:block>
<th:block th:if="${timerEnabled} eq false">
    <body></body>
</th:block>

I know, the other version does look much better, but since it is not working, this one is not so bad. Of course, I wouldn't recommend adding it to your bode in this case.

What I find weird, is that I try your code it does work on my end. Who knows why you are getting that error.