Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: csp nonce injection when no closing tag (#16281) #16282

Merged
merged 3 commits into from
Mar 31, 2024
Merged

fix: csp nonce injection when no closing tag (#16281) #16282

merged 3 commits into from
Mar 31, 2024

Commits on Mar 29, 2024

  1. fix: csp nonce injection when no closing tag (#16281)

    Not all html elements have an ending tag, for example:
    <link rel="stylesheet" href="/roboto.css" />
    In such cases, the current injection func injects the nonce after the forward slash, instead of before it
    current result:
    <link rel="stylesheet" href="/roboto.css" / nonce="abc123">
    
    this patch corrects the behavior to:
    <link rel="stylesheet" href="/roboto.css"  nonce="abc123"/>
    gregtwallace committed Mar 29, 2024
    Configuration menu
    Copy the full SHA
    e5fa777 View commit details
    Browse the repository at this point in the history
  2. fix: csp nonce injection when no closing tag (#16281) (pt. 2)

    Change fix method due to the way some tags are manipulated elsewhere.
    
    For example, the csp playground contains:
    <link rel="stylesheet" href="./linked.css" />
    
    Which is then transformed into this prior to nonce injection:
    <link rel="stylesheet" crossorigin href="/assets/index-BTAfrA7H.css">
    
    There is no endTag, but the startTag no longer ends in `/>`. This is likely not ideal but this fix works around that issue.
    gregtwallace committed Mar 29, 2024
    Configuration menu
    Copy the full SHA
    67c7bd9 View commit details
    Browse the repository at this point in the history

Commits on Mar 31, 2024

  1. chore: update

    sapphi-red authored Mar 31, 2024
    Configuration menu
    Copy the full SHA
    ac56128 View commit details
    Browse the repository at this point in the history