fix: csp nonce injection when no closing tag (#16281) #16282
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
7 tasks
sapphi-red
added
the
p3-minor-bug
sapphi-red
reviewed
Mar 29, 2024
gregtwallace
force-pushed
the
csp-link-fix
branch
from
c495d72
to
5bbc17b
Compare
Not all html elements have an ending tag, for example: <link rel="stylesheet" href="/roboto.css" /> In such cases, the current injection func injects the nonce after the forward slash, instead of before it current result: <link rel="stylesheet" href="/roboto.css" / nonce="abc123"> this patch corrects the behavior to: <link rel="stylesheet" href="/roboto.css" nonce="abc123"/>
gregtwallace
force-pushed
the
csp-link-fix
branch
from
5bbc17b
to
e5fa777
Compare
Change fix method due to the way some tags are manipulated elsewhere. For example, the csp playground contains: <link rel="stylesheet" href="./linked.css" /> Which is then transformed into this prior to nonce injection: <link rel="stylesheet" crossorigin href="/assets/index-BTAfrA7H.css"> There is no endTag, but the startTag no longer ends in `/>`. This is likely not ideal but this fix works around that issue.
|
Fixed. The way the HTML is manipulated in the playground vs. how it is manipulated when running I'm not sure what the remaining error is being caused by, but it appears unrelated. |
sapphi-red
reviewed
Mar 31, 2024
patak-dev
approved these changes
Mar 31, 2024
patak-dev
pushed a commit
that referenced
this pull request
Apr 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Not all html elements have an ending tag, for example:
In such cases, the current injection func injects the nonce after the forward slash, instead of before it current result:
this patch corrects the behavior to: