Merge pull request #315 from humhub/fix/314-snippet-js-nonce

Add nonce attribute to all HTML snippets automatically
humhub · Dec 12, 2023 · 457b9a1 · 457b9a1
2 parents 8e0ee0e + b506dc0
commit 457b9a1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/controllers/AbstractCustomContainerController.php b/controllers/AbstractCustomContainerController.php
@@ -10,6 +10,7 @@
 use humhub\components\access\StrictAccess;
 use humhub\modules\admin\permissions\ManageModules;
 use humhub\modules\content\components\ContentContainerController;
+use humhub\modules\custom_pages\helpers\Html;
 use humhub\modules\custom_pages\models\ContainerPage;
 use humhub\modules\custom_pages\models\ContainerSnippet;
 use humhub\modules\custom_pages\models\CustomContentContainer;
@@ -116,8 +117,6 @@ public function renderTemplate($page, $editMode = null)
         $canEdit = PagePermission::canEdit();
         $editMode = ($editMode || Yii::$app->request->get('editMode')) && $canEdit;
 
-        $html = '';
-
         if(!$canEdit && TemplateCache::exists($templateInstance)) {
             $html = TemplateCache::get($templateInstance);
         } else {
@@ -126,7 +125,8 @@ public function renderTemplate($page, $editMode = null)
                 TemplateCache::set($templateInstance, $html);
             }
         }
-        return $html;
+
+        return Html::applyScriptNonce($html);
     }
 
     /**
@@ -148,4 +148,4 @@ public function isCanEdit() {
         return $this->_canEdit;
     }
 
-}
+}
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -4,6 +4,7 @@ Changelog
 Unreleased
 -------------------------
 - Fix #312: Highlight the top menu entry if the current URL matches the Target Url of a "Link" custom page
+- Enh #314: Add nonce attribute to all JavaScript tags in snippet templates and HTML snippets automatically
 
 1.9.5 (November 16, 2023)
 -------------------------

diff --git a/models/Snippet.php b/models/Snippet.php
@@ -2,6 +2,7 @@
 
 namespace humhub\modules\custom_pages\models;
 
+use humhub\modules\custom_pages\helpers\Html;
 use humhub\modules\custom_pages\helpers\Url;
 use humhub\modules\custom_pages\models\forms\SettingsForm;
 use humhub\modules\custom_pages\modules\template\models\Template;
@@ -111,6 +112,10 @@ public function getAllowedTemplateSelection()
      */
     public function getPageContent()
     {
+        if ($this->type == HtmlType::ID) {
+            return Html::applyScriptNonce($this->page_content);
+        }
+
         return $this->page_content;
     }