New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: csp nonce injection when no closing tag (#16281) #16282
Conversation
Run & review this pull request in StackBlitz Codeflow. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests seem to be failing please have a look
c495d72
to
5bbc17b
Compare
Not all html elements have an ending tag, for example: <link rel="stylesheet" href="/roboto.css" /> In such cases, the current injection func injects the nonce after the forward slash, instead of before it current result: <link rel="stylesheet" href="/roboto.css" / nonce="abc123"> this patch corrects the behavior to: <link rel="stylesheet" href="/roboto.css" nonce="abc123"/>
5bbc17b
to
e5fa777
Compare
Change fix method due to the way some tags are manipulated elsewhere. For example, the csp playground contains: <link rel="stylesheet" href="./linked.css" /> Which is then transformed into this prior to nonce injection: <link rel="stylesheet" crossorigin href="/assets/index-BTAfrA7H.css"> There is no endTag, but the startTag no longer ends in `/>`. This is likely not ideal but this fix works around that issue.
Fixed. The way the HTML is manipulated in the playground vs. how it is manipulated when running I'm not sure what the remaining error is being caused by, but it appears unrelated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Not all html elements have an ending tag, for example:
In such cases, the current injection func injects the nonce after the forward slash, instead of before it current result:
this patch corrects the behavior to: