From 2bd05989a120a5a5c2f2ccf3e8f9ec62814ed7ba Mon Sep 17 00:00:00 2001
From: joerdav <joe.davidson.21111@gmail.com>
Date: Mon, 20 May 2024 16:36:40 +0100
Subject: [PATCH 1/3] feat: add WithNonce for CSP compatability

---
 .../{index.md => 01-injection-attacks.md}     |   9 +-
 .../10-security/02-content-security-policy.md | 113 ++++++++++++++++++
 docs/docs/10-security/03-code-signing.md      |   4 +
 examples/content-security-policy/main.go      |  63 ++++++++++
 .../content-security-policy/templates.templ   |   9 ++
 .../templates_templ.go                        |  44 +++++++
 generator/test-script-usage/expected.html     |   6 +-
 generator/test-script-usage/render_test.go    |   5 +-
 runtime.go                                    |  27 ++++-
 9 files changed, 266 insertions(+), 14 deletions(-)
 rename docs/docs/10-security/{index.md => 01-injection-attacks.md} (94%)
 create mode 100644 docs/docs/10-security/02-content-security-policy.md
 create mode 100644 docs/docs/10-security/03-code-signing.md
 create mode 100644 examples/content-security-policy/main.go
 create mode 100644 examples/content-security-policy/templates.templ
 create mode 100644 examples/content-security-policy/templates_templ.go

diff --git a/docs/docs/10-security/index.md b/docs/docs/10-security/01-injection-attacks.md
similarity index 94%
rename from docs/docs/10-security/index.md
rename to docs/docs/10-security/01-injection-attacks.md
index c7775e876..9a1f832cf 100644
--- a/docs/docs/10-security/index.md
+++ b/docs/docs/10-security/01-injection-attacks.md
@@ -1,6 +1,4 @@
-# Security
-
-## Injection attacks
+# Injection attacks
 
 templ is designed to prevent user-provided data from being used to inject vulnerabilities.
 
@@ -87,8 +85,3 @@ css className() {
 	color: { red };
 }
 ```
-
-## Code signing
-
-Binaries are created by https://github.com/a-h and signed with https://adrianhesketh.com/a-h.gpg
-
diff --git a/docs/docs/10-security/02-content-security-policy.md b/docs/docs/10-security/02-content-security-policy.md
new file mode 100644
index 000000000..5f2ccef44
--- /dev/null
+++ b/docs/docs/10-security/02-content-security-policy.md
@@ -0,0 +1,113 @@
+# Content security policy
+
+## Nonces
+
+In templ [script templates](/syntax-and-usage/script-templates#script-templates) are rendered as inline `<script>` tags. This means by default they are not compatible with a strict CSP.
+
+Nonces can be used to allow templ to bypass a strict CSP. They are randomly generated string that should be re-generated on every request.
+
+The `templ.WithNonce` function can be used to provide a nonce for templ to use when rendering a script.
+
+```templ title="templates.templ"
+package main
+
+import "context"
+import "os"
+
+script onLoad() {
+    alert("Hello, world!")
+}
+
+templ template() {
+    @onLoad()
+}
+
+func main() {
+    nonce := generateSecurelyRandomString()
+    ctx := templ.WithNonce(context.Background(), nonce)
+    if err := template().Render(ctx, os.Stdout); err != nil {
+        panic(err)
+    }
+}
+```
+```go title="main.go"
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"time"
+)
+
+func main() {
+	mux := http.NewServeMux()
+
+	// Handle template.
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+        nonce := generateSecurelyRandomString()
+        rw.Header().Set("Content-Security-Policy", fmt.Sprintf("script-src: 'nonce-%s'", nonce))
+        ctx := templ.WithNonce(context.Background(), nonce)
+        if err := template().Render(ctx, os.Stdout); err != nil {
+            http.Error(w, "failed to render", 500)
+        }
+	})
+
+	// Start the server.
+	fmt.Println("listening on :8080")
+	if err := http.ListenAndServe(":8080", mux); err != nil {
+		log.Printf("error listening: %v", err)
+	}
+}
+
+```
+
+This would render the following:
+
+```html
+<script type="text/javascript" nonce="..randomly generated nonce">function __templ_onLoad_5a85(){alert("Hello, world!")}</script>
+<script type="text/javascript" nonce="..randomly generated nonce">__templ_onLoad_5a85()</script>
+```
+
+## Nonce Middleware
+
+Generate and apply nonces in a middleware to remove repeated code in handlers:
+
+```go title="main.go"
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"time"
+)
+
+func nonceMiddleware(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		nonce := generateSecurelyRandomString()
+		ctx := templ.WithNonce(context.Background(), nonce)
+		w.Header().Add("Content-Security-Policy", fmt.Sprintf("script-src 'nonce-%s'", nonce))
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func main() {
+	mux := http.NewServeMux()
+
+	// Handle template.
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		if err := template().Render(ctx, os.Stdout); err != nil {
+			http.Error(w, "failed to render", 500)
+		}
+	})
+
+	// Start the server.
+	fmt.Println("listening on :8080")
+	// Apply middlewares.
+	mux = nonceMiddleware(mux)
+	if err := http.ListenAndServe(":8080", mux); err != nil {
+		log.Printf("error listening: %v", err)
+	}
+}
+```
diff --git a/docs/docs/10-security/03-code-signing.md b/docs/docs/10-security/03-code-signing.md
new file mode 100644
index 000000000..aa3046f4d
--- /dev/null
+++ b/docs/docs/10-security/03-code-signing.md
@@ -0,0 +1,4 @@
+# Code signing
+
+Binaries are created by https://github.com/a-h and signed with https://adrianhesketh.com/a-h.gpg
+
diff --git a/examples/content-security-policy/main.go b/examples/content-security-policy/main.go
new file mode 100644
index 000000000..1e36694e2
--- /dev/null
+++ b/examples/content-security-policy/main.go
@@ -0,0 +1,63 @@
+package main
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math/big"
+	"net/http"
+
+	"github.com/a-h/templ"
+)
+
+func main() {
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("/basic", func(w http.ResponseWriter, r *http.Request) {
+		nonce, err := generateRandomString(28)
+		if err != nil {
+			// ...
+		}
+		ctx := templ.WithNonce(r.Context(), nonce)
+		w.Header().Add("Content-Security-Policy", fmt.Sprintf("script-src 'nonce-%s'", nonce))
+		err = template().Render(ctx, w)
+		if err != nil {
+			// ...
+		}
+	})
+
+	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		err := template().Render(r.Context(), w)
+		if err != nil {
+			// ...
+		}
+	})
+	mux.Handle("/middleware", scriptNonceMiddleware(h))
+
+	http.ListenAndServe("127.0.0.1:7000", mux)
+}
+
+func scriptNonceMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		nonce, err := generateRandomString(28)
+		if err != nil {
+			// ...
+		}
+		ctx := templ.WithNonce(r.Context(), nonce)
+		w.Header().Add("Content-Security-Policy", fmt.Sprintf("script-src 'nonce-%s'", nonce))
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func generateRandomString(n int) (string, error) {
+	const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
+	ret := make([]byte, n)
+	for i := 0; i < n; i++ {
+		num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
+		if err != nil {
+			return "", err
+		}
+		ret[i] = letters[num.Int64()]
+	}
+
+	return string(ret), nil
+}
diff --git a/examples/content-security-policy/templates.templ b/examples/content-security-policy/templates.templ
new file mode 100644
index 000000000..c88808adc
--- /dev/null
+++ b/examples/content-security-policy/templates.templ
@@ -0,0 +1,9 @@
+package main
+
+script sayHello() {
+	alert("Hello")
+}
+
+templ template() {
+	@sayHello()
+}
diff --git a/examples/content-security-policy/templates_templ.go b/examples/content-security-policy/templates_templ.go
new file mode 100644
index 000000000..4d463f6cb
--- /dev/null
+++ b/examples/content-security-policy/templates_templ.go
@@ -0,0 +1,44 @@
+// Code generated by templ - DO NOT EDIT.
+
+package main
+
+//lint:file-ignore SA4006 This context is only used if a nested component is present.
+
+import "github.com/a-h/templ"
+import "context"
+import "io"
+import "bytes"
+
+func sayHello() templ.ComponentScript {
+	return templ.ComponentScript{
+		Name: `__templ_sayHello_6bd3`,
+		Function: `function __templ_sayHello_6bd3(){alert("Hello")
+}`,
+		Call:       templ.SafeScript(`__templ_sayHello_6bd3`),
+		CallInline: templ.SafeScriptInline(`__templ_sayHello_6bd3`),
+	}
+}
+
+func template() templ.Component {
+	return templ.ComponentFunc(func(ctx context.Context, templ_7745c5c3_W io.Writer) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templ_7745c5c3_W.(*bytes.Buffer)
+		if !templ_7745c5c3_IsBuffer {
+			templ_7745c5c3_Buffer = templ.GetBuffer()
+			defer templ.ReleaseBuffer(templ_7745c5c3_Buffer)
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var1 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var1 == nil {
+			templ_7745c5c3_Var1 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = sayHello().Render(ctx, templ_7745c5c3_Buffer)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		if !templ_7745c5c3_IsBuffer {
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteTo(templ_7745c5c3_W)
+		}
+		return templ_7745c5c3_Err
+	})
+}
diff --git a/generator/test-script-usage/expected.html b/generator/test-script-usage/expected.html
index bffa3c630..9f15abc46 100644
--- a/generator/test-script-usage/expected.html
+++ b/generator/test-script-usage/expected.html
@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script type="text/javascript" nonce="nonce1">
 	function __templ_withParameters_1056(a, b, c){console.log(a, b, c);
 }function __templ_withoutParameters_6bbf(){alert("hello");
 }
@@ -7,12 +7,12 @@
 <button onClick="__templ_withParameters_1056(&#34;test&#34;,&#34;B&#34;,123)" onMouseover="__templ_withoutParameters_6bbf()" type="button">B</button>
 <button onMouseover="console.log(&#39;mouseover&#39;)" type="button">Button C</button>
 <button hx-on::click="alert('clicked inline')" type="button">Button D</button>
-<script type="text/javascript">
+<script type="text/javascript" nonce="nonce1">
   function __templ_onClick_657d(){alert("clicked");
 }
 </script>
 <button hx-on::click="__templ_onClick_657d()" type="button">Button E</button>
-<script type="text/javascript">
+<script type="text/javascript" nonce="nonce1">
   function __templ_conditionalScript_de41(){alert("conditional");
 }
 </script>
diff --git a/generator/test-script-usage/render_test.go b/generator/test-script-usage/render_test.go
index 9aea4ba67..48b2da861 100644
--- a/generator/test-script-usage/render_test.go
+++ b/generator/test-script-usage/render_test.go
@@ -1,9 +1,11 @@
 package testscriptusage
 
 import (
+	"context"
 	_ "embed"
 	"testing"
 
+	"github.com/a-h/templ"
 	"github.com/a-h/templ/generator/htmldiff"
 )
 
@@ -13,7 +15,8 @@ var expected string
 func Test(t *testing.T) {
 	component := ThreeButtons()
 
-	diff, err := htmldiff.Diff(component, expected)
+	ctx := templ.WithNonce(context.Background(), "nonce1")
+	diff, err := htmldiff.DiffCtx(ctx, component, expected)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/runtime.go b/runtime.go
index 3a86939a5..c430a0f2b 100644
--- a/runtime.go
+++ b/runtime.go
@@ -41,6 +41,12 @@ func (cf ComponentFunc) Render(ctx context.Context, w io.Writer) error {
 	return cf(ctx, w)
 }
 
+func WithNonce(ctx context.Context, nonce string) context.Context {
+	ctx, v := getContext(ctx)
+	v.nonce = nonce
+	return ctx
+}
+
 func WithChildren(ctx context.Context, children Component) context.Context {
 	ctx, v := getContext(ctx)
 	v.children = &children
@@ -578,6 +584,7 @@ const contextKey = contextKeyType(0)
 type contextValue struct {
 	ss       map[string]struct{}
 	children *Component
+	nonce    string
 }
 
 func (v *contextValue) addScript(s string) {
@@ -663,13 +670,29 @@ type ComponentScript struct {
 
 var _ Component = ComponentScript{}
 
+func writeScriptHeader(ctx context.Context, w io.Writer) error {
+	_, ctxv := getContext(ctx)
+	if _, err := io.WriteString(w, `<script type="text/javascript"`); err != nil {
+		return err
+	}
+	if ctxv.nonce != "" {
+		if _, err := io.WriteString(w, ` nonce="`+EscapeString(ctxv.nonce)+`"`); err != nil {
+			return err
+		}
+	}
+	if _, err := io.WriteString(w, `>`); err != nil {
+		return err
+	}
+	return nil
+}
+
 func (c ComponentScript) Render(ctx context.Context, w io.Writer) error {
 	err := RenderScriptItems(ctx, w, c)
 	if err != nil {
 		return err
 	}
 	if len(c.Call) > 0 {
-		if _, err = io.WriteString(w, `<script type="text/javascript">`); err != nil {
+		if err = writeScriptHeader(ctx, w); err != nil {
 			return err
 		}
 		if _, err = io.WriteString(w, c.CallInline); err != nil {
@@ -696,7 +719,7 @@ func RenderScriptItems(ctx context.Context, w io.Writer, scripts ...ComponentScr
 		}
 	}
 	if sb.Len() > 0 {
-		if _, err = io.WriteString(w, `<script type="text/javascript">`); err != nil {
+		if err = writeScriptHeader(ctx, w); err != nil {
 			return err
 		}
 		if _, err = io.WriteString(w, sb.String()); err != nil {

From 8331ce847035b438be517ecd312c78851200b115 Mon Sep 17 00:00:00 2001
From: Adrian Hesketh <adrianhesketh@hushmail.com>
Date: Tue, 21 May 2024 13:20:36 +0100
Subject: [PATCH 2/3] refactor: add GetNonce

---
 .version                                      |   2 +-
 .../10-security/02-content-security-policy.md | 101 +++-----
 docs/docs/10-security/03-code-signing.md      |   5 +-
 .../test-script-usage-nonce/expected.html     |  19 ++
 .../test-script-usage-nonce/render_test.go    |  26 +++
 .../test-script-usage-nonce/template.templ    |  44 ++++
 .../test-script-usage-nonce/template_templ.go | 219 ++++++++++++++++++
 generator/test-script-usage/expected.html     |   6 +-
 generator/test-script-usage/render_test.go    |   5 +-
 runtime.go                                    |  27 +--
 runtime_test.go                               |  18 ++
 11 files changed, 386 insertions(+), 86 deletions(-)
 create mode 100644 generator/test-script-usage-nonce/expected.html
 create mode 100644 generator/test-script-usage-nonce/render_test.go
 create mode 100644 generator/test-script-usage-nonce/template.templ
 create mode 100644 generator/test-script-usage-nonce/template_templ.go

diff --git a/.version b/.version
index 281ad6c5d..8d31eb250 100644
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.2.692
+0.2.699
\ No newline at end of file
diff --git a/docs/docs/10-security/02-content-security-policy.md b/docs/docs/10-security/02-content-security-policy.md
index 5f2ccef44..6ba5e0410 100644
--- a/docs/docs/10-security/02-content-security-policy.md
+++ b/docs/docs/10-security/02-content-security-policy.md
@@ -2,11 +2,25 @@
 
 ## Nonces
 
-In templ [script templates](/syntax-and-usage/script-templates#script-templates) are rendered as inline `<script>` tags. This means by default they are not compatible with a strict CSP.
+In templ [script templates](/syntax-and-usage/script-templates#script-templates) are rendered as inline `<script>` tags.
 
-Nonces can be used to allow templ to bypass a strict CSP. They are randomly generated string that should be re-generated on every request.
+Strict Content Security Policies (CSP) can prevent these inline scripts from executing.
 
-The `templ.WithNonce` function can be used to provide a nonce for templ to use when rendering a script.
+By setting a nonce attribute on the `<script>` tag, and setting the same nonce in the CSP header, the browser will allow the script to execute.
+
+:::info
+It's your responsibility to generate a secure nonce. Nonces should be generated using a cryptographically secure random number generator.
+
+See https://content-security-policy.com/nonce/ for more information.
+:::
+
+## Setting a nonce
+
+The `templ.WithNonce` function can be used to set a nonce for templ to use when rendering scripts.
+
+It returns an updated `context.Context` with the nonce set.
+
+In this example, the `alert` function is rendered as a script element by templ.
 
 ```templ title="templates.templ"
 package main
@@ -21,58 +35,8 @@ script onLoad() {
 templ template() {
     @onLoad()
 }
-
-func main() {
-    nonce := generateSecurelyRandomString()
-    ctx := templ.WithNonce(context.Background(), nonce)
-    if err := template().Render(ctx, os.Stdout); err != nil {
-        panic(err)
-    }
-}
-```
-```go title="main.go"
-package main
-
-import (
-	"fmt"
-	"log"
-	"net/http"
-	"time"
-)
-
-func main() {
-	mux := http.NewServeMux()
-
-	// Handle template.
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-        nonce := generateSecurelyRandomString()
-        rw.Header().Set("Content-Security-Policy", fmt.Sprintf("script-src: 'nonce-%s'", nonce))
-        ctx := templ.WithNonce(context.Background(), nonce)
-        if err := template().Render(ctx, os.Stdout); err != nil {
-            http.Error(w, "failed to render", 500)
-        }
-	})
-
-	// Start the server.
-	fmt.Println("listening on :8080")
-	if err := http.ListenAndServe(":8080", mux); err != nil {
-		log.Printf("error listening: %v", err)
-	}
-}
-
 ```
 
-This would render the following:
-
-```html
-<script type="text/javascript" nonce="..randomly generated nonce">function __templ_onLoad_5a85(){alert("Hello, world!")}</script>
-<script type="text/javascript" nonce="..randomly generated nonce">__templ_onLoad_5a85()</script>
-```
-
-## Nonce Middleware
-
-Generate and apply nonces in a middleware to remove repeated code in handlers:
-
 ```go title="main.go"
 package main
 
@@ -83,11 +47,12 @@ import (
 	"time"
 )
 
-func nonceMiddleware(handler http.Handler) http.Handler {
+func withNonce(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		nonce := generateSecurelyRandomString()
-		ctx := templ.WithNonce(context.Background(), nonce)
+		nonce := securelyGenerateRandomString()
 		w.Header().Add("Content-Security-Policy", fmt.Sprintf("script-src 'nonce-%s'", nonce))
+		// Use the context to pass the nonce to the handler.
+		ctx := templ.WithNonce(r.Context(), nonce)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
@@ -96,18 +61,26 @@ func main() {
 	mux := http.NewServeMux()
 
 	// Handle template.
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		if err := template().Render(ctx, os.Stdout); err != nil {
-			http.Error(w, "failed to render", 500)
-		}
-	})
+	mux.HandleFunc("/", templ.Handler(template()))
+
+	// Apply middleware.
+	withNonceMux := withNonce(mux)
 
 	// Start the server.
 	fmt.Println("listening on :8080")
-	// Apply middlewares.
-	mux = nonceMiddleware(mux)
-	if err := http.ListenAndServe(":8080", mux); err != nil {
+	if err := http.ListenAndServe(":8080", withNonceMux); err != nil {
 		log.Printf("error listening: %v", err)
 	}
 }
 ```
+
+```html title="Output"
+<script type="text/javascript" nonce="randomly generated nonce">
+  function __templ_onLoad_5a85() {
+    alert("Hello, world!")
+  }
+</script>
+<script type="text/javascript" nonce="randomly generated nonce">
+  __templ_onLoad_5a85()
+</script>
+```
diff --git a/docs/docs/10-security/03-code-signing.md b/docs/docs/10-security/03-code-signing.md
index aa3046f4d..473850196 100644
--- a/docs/docs/10-security/03-code-signing.md
+++ b/docs/docs/10-security/03-code-signing.md
@@ -1,4 +1,7 @@
 # Code signing
 
-Binaries are created by https://github.com/a-h and signed with https://adrianhesketh.com/a-h.gpg
+Binaries are created by the Github Actions workflow at https://github.com/a-h/templ/blob/main/.github/workflows/release.yml
 
+Binaries are signed by cosign. The public key is stored in the repository at https://github.com/a-h/templ/blob/main/cosign.pub
+
+Instructions for key verification at https://docs.sigstore.dev/verifying/verify/
diff --git a/generator/test-script-usage-nonce/expected.html b/generator/test-script-usage-nonce/expected.html
new file mode 100644
index 000000000..9f15abc46
--- /dev/null
+++ b/generator/test-script-usage-nonce/expected.html
@@ -0,0 +1,19 @@
+<script type="text/javascript" nonce="nonce1">
+	function __templ_withParameters_1056(a, b, c){console.log(a, b, c);
+}function __templ_withoutParameters_6bbf(){alert("hello");
+}
+</script>
+<button onClick="__templ_withParameters_1056(&#34;test&#34;,&#34;A&#34;,123)" onMouseover="__templ_withoutParameters_6bbf()" type="button">A</button>
+<button onClick="__templ_withParameters_1056(&#34;test&#34;,&#34;B&#34;,123)" onMouseover="__templ_withoutParameters_6bbf()" type="button">B</button>
+<button onMouseover="console.log(&#39;mouseover&#39;)" type="button">Button C</button>
+<button hx-on::click="alert('clicked inline')" type="button">Button D</button>
+<script type="text/javascript" nonce="nonce1">
+  function __templ_onClick_657d(){alert("clicked");
+}
+</script>
+<button hx-on::click="__templ_onClick_657d()" type="button">Button E</button>
+<script type="text/javascript" nonce="nonce1">
+  function __templ_conditionalScript_de41(){alert("conditional");
+}
+</script>
+<input type="button" value="Click me" onclick="__templ_conditionalScript_de41()" />
diff --git a/generator/test-script-usage-nonce/render_test.go b/generator/test-script-usage-nonce/render_test.go
new file mode 100644
index 000000000..48b2da861
--- /dev/null
+++ b/generator/test-script-usage-nonce/render_test.go
@@ -0,0 +1,26 @@
+package testscriptusage
+
+import (
+	"context"
+	_ "embed"
+	"testing"
+
+	"github.com/a-h/templ"
+	"github.com/a-h/templ/generator/htmldiff"
+)
+
+//go:embed expected.html
+var expected string
+
+func Test(t *testing.T) {
+	component := ThreeButtons()
+
+	ctx := templ.WithNonce(context.Background(), "nonce1")
+	diff, err := htmldiff.DiffCtx(ctx, component, expected)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff != "" {
+		t.Error(diff)
+	}
+}
diff --git a/generator/test-script-usage-nonce/template.templ b/generator/test-script-usage-nonce/template.templ
new file mode 100644
index 000000000..9364a7525
--- /dev/null
+++ b/generator/test-script-usage-nonce/template.templ
@@ -0,0 +1,44 @@
+package testscriptusage
+
+script withParameters(a string, b string, c int) {
+	console.log(a, b, c);
+}
+
+script withoutParameters() {
+	alert("hello");
+}
+
+script onClick() {
+	alert("clicked");
+}
+
+templ Button(text string) {
+	<button onClick={ withParameters("test", text, 123) } onMouseover={ withoutParameters() } type="button">{ text }</button>
+}
+
+script withComment() {
+	//'
+}
+
+templ ThreeButtons() {
+	@Button("A")
+	@Button("B")
+	<button onMouseover="console.log('mouseover')" type="button">Button C</button>
+	<button hx-on::click="alert('clicked inline')" type="button">Button D</button>
+	<button hx-on::click={ onClick() } type="button">Button E</button>
+	@Conditional(true)
+}
+
+script conditionalScript() {
+  alert("conditional");
+}
+
+templ Conditional(show bool) {
+	<input
+		type="button"
+		value="Click me"
+		if show {
+			onclick={ conditionalScript() }
+		}
+	/>
+}
diff --git a/generator/test-script-usage-nonce/template_templ.go b/generator/test-script-usage-nonce/template_templ.go
new file mode 100644
index 000000000..e30405e4b
--- /dev/null
+++ b/generator/test-script-usage-nonce/template_templ.go
@@ -0,0 +1,219 @@
+// Code generated by templ - DO NOT EDIT.
+
+package testscriptusage
+
+//lint:file-ignore SA4006 This context is only used if a nested component is present.
+
+import "github.com/a-h/templ"
+import "context"
+import "io"
+import "bytes"
+
+func withParameters(a string, b string, c int) templ.ComponentScript {
+	return templ.ComponentScript{
+		Name: `__templ_withParameters_1056`,
+		Function: `function __templ_withParameters_1056(a, b, c){console.log(a, b, c);
+}`,
+		Call:       templ.SafeScript(`__templ_withParameters_1056`, a, b, c),
+		CallInline: templ.SafeScriptInline(`__templ_withParameters_1056`, a, b, c),
+	}
+}
+
+func withoutParameters() templ.ComponentScript {
+	return templ.ComponentScript{
+		Name: `__templ_withoutParameters_6bbf`,
+		Function: `function __templ_withoutParameters_6bbf(){alert("hello");
+}`,
+		Call:       templ.SafeScript(`__templ_withoutParameters_6bbf`),
+		CallInline: templ.SafeScriptInline(`__templ_withoutParameters_6bbf`),
+	}
+}
+
+func onClick() templ.ComponentScript {
+	return templ.ComponentScript{
+		Name: `__templ_onClick_657d`,
+		Function: `function __templ_onClick_657d(){alert("clicked");
+}`,
+		Call:       templ.SafeScript(`__templ_onClick_657d`),
+		CallInline: templ.SafeScriptInline(`__templ_onClick_657d`),
+	}
+}
+
+func Button(text string) templ.Component {
+	return templ.ComponentFunc(func(ctx context.Context, templ_7745c5c3_W io.Writer) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templ_7745c5c3_W.(*bytes.Buffer)
+		if !templ_7745c5c3_IsBuffer {
+			templ_7745c5c3_Buffer = templ.GetBuffer()
+			defer templ.ReleaseBuffer(templ_7745c5c3_Buffer)
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var1 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var1 == nil {
+			templ_7745c5c3_Var1 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = templ.RenderScriptItems(ctx, templ_7745c5c3_Buffer, withParameters("test", text, 123), withoutParameters())
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("<button onClick=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var2 templ.ComponentScript = withParameters("test", text, 123)
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ_7745c5c3_Var2.Call)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("\" onMouseover=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var3 templ.ComponentScript = withoutParameters()
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ_7745c5c3_Var3.Call)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("\" type=\"button\">")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var4 string
+		templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs(text)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `generator/test-script-usage-nonce/template.templ`, Line: 16, Col: 111}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var4))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("</button>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		if !templ_7745c5c3_IsBuffer {
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteTo(templ_7745c5c3_W)
+		}
+		return templ_7745c5c3_Err
+	})
+}
+
+func withComment() templ.ComponentScript {
+	return templ.ComponentScript{
+		Name: `__templ_withComment_9cf8`,
+		Function: `function __templ_withComment_9cf8(){//'
+}`,
+		Call:       templ.SafeScript(`__templ_withComment_9cf8`),
+		CallInline: templ.SafeScriptInline(`__templ_withComment_9cf8`),
+	}
+}
+
+func ThreeButtons() templ.Component {
+	return templ.ComponentFunc(func(ctx context.Context, templ_7745c5c3_W io.Writer) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templ_7745c5c3_W.(*bytes.Buffer)
+		if !templ_7745c5c3_IsBuffer {
+			templ_7745c5c3_Buffer = templ.GetBuffer()
+			defer templ.ReleaseBuffer(templ_7745c5c3_Buffer)
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var5 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var5 == nil {
+			templ_7745c5c3_Var5 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = Button("A").Render(ctx, templ_7745c5c3_Buffer)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = Button("B").Render(ctx, templ_7745c5c3_Buffer)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("<button onMouseover=\"console.log(&#39;mouseover&#39;)\" type=\"button\">Button C</button> <button hx-on::click=\"alert(&#39;clicked inline&#39;)\" type=\"button\">Button D</button> ")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templ.RenderScriptItems(ctx, templ_7745c5c3_Buffer, onClick())
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("<button hx-on::click=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var6 templ.ComponentScript = onClick()
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ_7745c5c3_Var6.Call)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("\" type=\"button\">Button E</button>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = Conditional(true).Render(ctx, templ_7745c5c3_Buffer)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		if !templ_7745c5c3_IsBuffer {
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteTo(templ_7745c5c3_W)
+		}
+		return templ_7745c5c3_Err
+	})
+}
+
+func conditionalScript() templ.ComponentScript {
+	return templ.ComponentScript{
+		Name: `__templ_conditionalScript_de41`,
+		Function: `function __templ_conditionalScript_de41(){alert("conditional");
+}`,
+		Call:       templ.SafeScript(`__templ_conditionalScript_de41`),
+		CallInline: templ.SafeScriptInline(`__templ_conditionalScript_de41`),
+	}
+}
+
+func Conditional(show bool) templ.Component {
+	return templ.ComponentFunc(func(ctx context.Context, templ_7745c5c3_W io.Writer) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templ_7745c5c3_W.(*bytes.Buffer)
+		if !templ_7745c5c3_IsBuffer {
+			templ_7745c5c3_Buffer = templ.GetBuffer()
+			defer templ.ReleaseBuffer(templ_7745c5c3_Buffer)
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var7 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var7 == nil {
+			templ_7745c5c3_Var7 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = templ.RenderScriptItems(ctx, templ_7745c5c3_Buffer, conditionalScript())
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("<input type=\"button\" value=\"Click me\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		if show {
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(" onclick=\"")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			var templ_7745c5c3_Var8 templ.ComponentScript = conditionalScript()
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ_7745c5c3_Var8.Call)
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("\"")
+			if templ_7745c5c3_Err != nil {
+				return templ_7745c5c3_Err
+			}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(">")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		if !templ_7745c5c3_IsBuffer {
+			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteTo(templ_7745c5c3_W)
+		}
+		return templ_7745c5c3_Err
+	})
+}
diff --git a/generator/test-script-usage/expected.html b/generator/test-script-usage/expected.html
index 9f15abc46..bffa3c630 100644
--- a/generator/test-script-usage/expected.html
+++ b/generator/test-script-usage/expected.html
@@ -1,4 +1,4 @@
-<script type="text/javascript" nonce="nonce1">
+<script type="text/javascript">
 	function __templ_withParameters_1056(a, b, c){console.log(a, b, c);
 }function __templ_withoutParameters_6bbf(){alert("hello");
 }
@@ -7,12 +7,12 @@
 <button onClick="__templ_withParameters_1056(&#34;test&#34;,&#34;B&#34;,123)" onMouseover="__templ_withoutParameters_6bbf()" type="button">B</button>
 <button onMouseover="console.log(&#39;mouseover&#39;)" type="button">Button C</button>
 <button hx-on::click="alert('clicked inline')" type="button">Button D</button>
-<script type="text/javascript" nonce="nonce1">
+<script type="text/javascript">
   function __templ_onClick_657d(){alert("clicked");
 }
 </script>
 <button hx-on::click="__templ_onClick_657d()" type="button">Button E</button>
-<script type="text/javascript" nonce="nonce1">
+<script type="text/javascript">
   function __templ_conditionalScript_de41(){alert("conditional");
 }
 </script>
diff --git a/generator/test-script-usage/render_test.go b/generator/test-script-usage/render_test.go
index 48b2da861..9aea4ba67 100644
--- a/generator/test-script-usage/render_test.go
+++ b/generator/test-script-usage/render_test.go
@@ -1,11 +1,9 @@
 package testscriptusage
 
 import (
-	"context"
 	_ "embed"
 	"testing"
 
-	"github.com/a-h/templ"
 	"github.com/a-h/templ/generator/htmldiff"
 )
 
@@ -15,8 +13,7 @@ var expected string
 func Test(t *testing.T) {
 	component := ThreeButtons()
 
-	ctx := templ.WithNonce(context.Background(), "nonce1")
-	diff, err := htmldiff.DiffCtx(ctx, component, expected)
+	diff, err := htmldiff.Diff(component, expected)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/runtime.go b/runtime.go
index c430a0f2b..b918a3f7f 100644
--- a/runtime.go
+++ b/runtime.go
@@ -41,12 +41,20 @@ func (cf ComponentFunc) Render(ctx context.Context, w io.Writer) error {
 	return cf(ctx, w)
 }
 
+// WithNonce sets a CSP nonce on the context and returns it.
 func WithNonce(ctx context.Context, nonce string) context.Context {
 	ctx, v := getContext(ctx)
 	v.nonce = nonce
 	return ctx
 }
 
+// GetNonce returns the CSP nonce value set with WithNonce, or an
+// empty string if none has been set.
+func GetNonce(ctx context.Context) (nonce string) {
+	_, v := getContext(ctx)
+	return v.nonce
+}
+
 func WithChildren(ctx context.Context, children Component) context.Context {
 	ctx, v := getContext(ctx)
 	v.children = &children
@@ -670,20 +678,13 @@ type ComponentScript struct {
 
 var _ Component = ComponentScript{}
 
-func writeScriptHeader(ctx context.Context, w io.Writer) error {
-	_, ctxv := getContext(ctx)
-	if _, err := io.WriteString(w, `<script type="text/javascript"`); err != nil {
-		return err
+func writeScriptHeader(ctx context.Context, w io.Writer) (err error) {
+	var nonceAttr string
+	if nonce := GetNonce(ctx); nonce != "" {
+		nonceAttr = " nonce=\"" + EscapeString(nonce) + "\""
 	}
-	if ctxv.nonce != "" {
-		if _, err := io.WriteString(w, ` nonce="`+EscapeString(ctxv.nonce)+`"`); err != nil {
-			return err
-		}
-	}
-	if _, err := io.WriteString(w, `>`); err != nil {
-		return err
-	}
-	return nil
+	_, err = fmt.Fprintf(w, `<script type="text/javascript"%s>`, nonceAttr)
+	return err
 }
 
 func (c ComponentScript) Render(ctx context.Context, w io.Writer) error {
diff --git a/runtime_test.go b/runtime_test.go
index be7ba3ff9..d481acf1b 100644
--- a/runtime_test.go
+++ b/runtime_test.go
@@ -725,3 +725,21 @@ func TestGoHTMLComponents(t *testing.T) {
 		}
 	})
 }
+
+func TestNonce(t *testing.T) {
+	ctx := context.Background()
+	t.Run("returns empty string if not set", func(t *testing.T) {
+		actual := templ.GetNonce(ctx)
+		if actual != "" {
+			t.Errorf("expected empty string got %q", actual)
+		}
+	})
+	t.Run("returns value if one has been set", func(t *testing.T) {
+		expected := "abc123"
+		ctx := templ.WithNonce(context.Background(), expected)
+		actual := templ.GetNonce(ctx)
+		if actual != expected {
+			t.Errorf("expected %q got %q", expected, actual)
+		}
+	})
+}

From 012ffb3dd2babe523b696924033682ba181ef7db Mon Sep 17 00:00:00 2001
From: Adrian Hesketh <adrianhesketh@hushmail.com>
Date: Tue, 21 May 2024 13:43:03 +0100
Subject: [PATCH 3/3] refactor: update the example to make it more copy/paste
 friendly

---
 examples/content-security-policy/main.go | 72 +++++++++++++-----------
 1 file changed, 38 insertions(+), 34 deletions(-)

diff --git a/examples/content-security-policy/main.go b/examples/content-security-policy/main.go
index 1e36694e2..72c33a410 100644
--- a/examples/content-security-policy/main.go
+++ b/examples/content-security-policy/main.go
@@ -5,59 +5,63 @@ import (
 	"fmt"
 	"math/big"
 	"net/http"
+	"os"
+
+	"log/slog"
 
 	"github.com/a-h/templ"
 )
 
 func main() {
+	log := slog.New(slog.NewJSONHandler(os.Stdout, nil))
+
+	// Create HTTP routes.
 	mux := http.NewServeMux()
+	mux.Handle("/", templ.Handler(template()))
 
-	mux.HandleFunc("/basic", func(w http.ResponseWriter, r *http.Request) {
-		nonce, err := generateRandomString(28)
-		if err != nil {
-			// ...
-		}
-		ctx := templ.WithNonce(r.Context(), nonce)
-		w.Header().Add("Content-Security-Policy", fmt.Sprintf("script-src 'nonce-%s'", nonce))
-		err = template().Render(ctx, w)
-		if err != nil {
-			// ...
-		}
-	})
+	// Wrap the router with CSP middleware to apply the CSP nonce to templ scripts.
+	withCSPMiddleware := NewCSPMiddleware(log, mux)
 
-	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		err := template().Render(r.Context(), w)
-		if err != nil {
-			// ...
-		}
-	})
-	mux.Handle("/middleware", scriptNonceMiddleware(h))
+	log.Info("Listening...", slog.String("addr", "127.0.0.1:7001"))
+	if err := http.ListenAndServe("127.0.0.1:7001", withCSPMiddleware); err != nil {
+		log.Error("failed to start server", slog.Any("error", err))
+	}
+}
 
-	http.ListenAndServe("127.0.0.1:7000", mux)
+func NewCSPMiddleware(log *slog.Logger, next http.Handler) *CSPMiddleware {
+	return &CSPMiddleware{
+		Log:  log,
+		Next: next,
+		Size: 28,
+	}
 }
 
-func scriptNonceMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		nonce, err := generateRandomString(28)
-		if err != nil {
-			// ...
-		}
-		ctx := templ.WithNonce(r.Context(), nonce)
-		w.Header().Add("Content-Security-Policy", fmt.Sprintf("script-src 'nonce-%s'", nonce))
-		next.ServeHTTP(w, r.WithContext(ctx))
-	})
+type CSPMiddleware struct {
+	Log  *slog.Logger
+	Next http.Handler
+	Size int
 }
 
-func generateRandomString(n int) (string, error) {
+func (m *CSPMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	nonce, err := m.generateNonce()
+	if err != nil {
+		m.Log.Error("failed to generate nonce", slog.Any("error", err))
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+	}
+	ctx := templ.WithNonce(r.Context(), nonce)
+	w.Header().Add("Content-Security-Policy", fmt.Sprintf("script-src 'nonce-%s'", nonce))
+	m.Next.ServeHTTP(w, r.WithContext(ctx))
+}
+
+func (m *CSPMiddleware) generateNonce() (string, error) {
 	const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
-	ret := make([]byte, n)
-	for i := 0; i < n; i++ {
+	ret := make([]byte, m.Size)
+	for i := 0; i < m.Size; i++ {
 		num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
 		if err != nil {
 			return "", err
 		}
 		ret[i] = letters[num.Int64()]
 	}
-
 	return string(ret), nil
 }