fix: csp nonce injection when no closing tag (#16281)

Not all html elements have an ending tag, for example: <link rel="stylesheet" href="/roboto.css" /> In such cases, the current injection func injects the nonce after the forward slash, instead of before it current result: <link rel="stylesheet" href="/roboto.css" / nonce="abc123"> this patch corrects the behavior to: <link rel="stylesheet" href="/roboto.css" nonce="abc123"/>
vitejs · Mar 29, 2024 · 5bbc17b · 5bbc17b
1 parent 1d9a042
commit 5bbc17b
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts
@@ -1189,8 +1189,12 @@ export function injectNonceAttributeTagHook(
               parseRelAttr(attr.value).some((a) => processRelType.has(a)),
           ))
       ) {
+        // if there is no endTag, the end of the startTag will be `/>`
+        // therefore, the appendOffset should be 2 in this case, instead of 1
+        const appendOffset = node?.sourceCodeLocation?.endTag ? 1 : 2
+
         s.appendRight(
-          node.sourceCodeLocation!.startTag!.endOffset - 1,
+          node.sourceCodeLocation!.startTag!.endOffset - appendOffset,
           ` nonce="${nonce}"`,
         )
       }