Add nonce to <script> elements (#1464)

Yannik · web-flow · commit 8a3bab78027f · 2023-09-19T16:17:37.000+02:00
diff --git a/src/JavascriptRenderer.php b/src/JavascriptRenderer.php
@@ -63,14 +63,20 @@ public function renderHead()
         $cssRoute = preg_replace('/\Ahttps?:/', '', $cssRoute);
         $jsRoute  = preg_replace('/\Ahttps?:/', '', $jsRoute);
 
+        $nonce = $this->getNonceAttribute();
+
         $html  = "<link rel='stylesheet' type='text/css' property='stylesheet' href='{$cssRoute}' data-turbolinks-eval='false' data-turbo-eval='false'>";
-        $html .= "<script src='{$jsRoute}' data-turbolinks-eval='false' data-turbo-eval='false'></script>";
+        $html .= "<script{$nonce} src='{$jsRoute}' data-turbolinks-eval='false' data-turbo-eval='false'></script>";
 
         if ($this->isJqueryNoConflictEnabled()) {
-            $html .= '<script data-turbo-eval="false">jQuery.noConflict(true);</script>' . "\n";
+            $html .= "<script{$nonce} data-turbo-eval='false'>jQuery.noConflict(true);</script>" . "\n";
         }
 
-        $html .= $this->getInlineHtml();
+        $inlineHtml = $this->getInlineHtml();
+        if ($nonce != '') {
+            $inlineHtml = preg_replace("/<script>/", "<script{$nonce}>", $inlineHtml);
+        }
+        $html .= $inlineHtml;
 
 
         return $html;
