Add nonce attribute to all JavaScript tags in templates and HTML page…

…s automatically

docs/CHANGELOG.md

@@ -4,7 +4,7 @@ Changelog
 1.9.5 (Unreleased)
 ------------------------
 - Enh #303: Fix visibility of the method `Controller::getAccessRules()`
-- Enh #305: JavaScript nonce placeholder for templates & HTML pages
+- Enh #305: Add nonce attribute to all JavaScript tags in templates and HTML pages automatically
 
 1.9.4 (October 24, 2023)
 ------------------------

helpers/Html.php

@@ -0,0 +1,32 @@
+<?php
+/**
+ * @link https://www.humhub.org/
+ * @copyright Copyright (c) HumHub GmbH & Co. KG
+ * @license https://www.humhub.com/licences
+ */
+
+namespace humhub\modules\custom_pages\helpers;
+
+use humhub\libs\Html as BaseHtml;
+
+class Html extends BaseHtml
+{
+    /**
+     * Add attribute "nonce" for all script tags found in the given content
+     *
+     * @param string|null $content
+     * @return string
+     */
+    public static function applyScriptNonce(?string $content): string
+    {
+        return $content === null
+            ? ''
+            : preg_replace_callback('/(<script)(.*?>)/i', [self::class, 'applyScriptNonceCallback'], $content);
+    }
+
+    protected static function applyScriptNonceCallback(array $m): string
+    {
+        $attrs = str_replace([' nonce=""', " nonce=''", ' nonce'], '', $m[2]);
+        return $m[1] . ' ' . self::nonce() . $attrs;
+    }
+}

lib/templates/twig/TwigEngine.php

@@ -1,17 +1,14 @@
 <?php
-
-namespace humhub\modules\custom_pages\lib\templates\twig;
 /**
  * @link https://www.humhub.org/
  * @copyright Copyright (c) 2015 HumHub GmbH & Co. KG
  * @license https://www.humhub.com/licences
  */
 
+namespace humhub\modules\custom_pages\lib\templates\twig;
 
-use humhub\libs\Html;
 use humhub\modules\custom_pages\lib\templates\TemplateEngine;
 use Twig\Environment;
-use Twig\TwigFunction;
 
 /**
  * The TwigEngine is the default template eninge of this module and is used to
@@ -33,10 +30,6 @@ public function render($template, $content)
         $loader = new DatabaseTwigLoader();
         $twig = new Environment($loader, ['autoescape' => false, 'debug' => true]);
 
-        $twig->addFunction(new TwigFunction('nonce', function () {
-            return Html::nonce();
-        }));
-
         return $twig->render($template, $content);
     }
 

models/Page.php

@@ -2,8 +2,8 @@
 
 namespace humhub\modules\custom_pages\models;
 
-use humhub\libs\Html;
 use humhub\modules\content\models\Content;
+use humhub\modules\custom_pages\helpers\Html;
 use humhub\modules\custom_pages\helpers\Url;
 use humhub\modules\custom_pages\models\forms\SettingsForm;
 use humhub\modules\custom_pages\modules\template\models\Template;
@@ -188,7 +188,7 @@ public function getContentTypes()
     public function getPageContent()
     {
         if ($this->type == HtmlType::ID) {
-            return preg_replace('/(<script.*?) nonce(="")?(.*?>)/i', '$1 ' . Html::nonce() . '$3', $this->page_content);
+            return Html::applyScriptNonce($this->page_content);
         }
 
         return $this->page_content;

modules/template/components/TemplateRenderer.php

@@ -1,9 +1,8 @@
 <?php
 
-
 namespace humhub\modules\custom_pages\modules\template\components;
 
-
+use humhub\modules\custom_pages\helpers\Html;
 use yii\web\HttpException;
 use humhub\modules\custom_pages\modules\template\models\TemplateInstance;
 
@@ -23,8 +22,6 @@ public static function render($page, $editMode = false)
             throw new HttpException(404, 'Template instance not found!');
         }
 
-        $html = '';
-
         if(!$editMode && TemplateCache::exists($templateInstance)) {
             $html = TemplateCache::get($templateInstance);
         } else {
@@ -33,7 +30,8 @@ public static function render($page, $editMode = false)
                 TemplateCache::set($templateInstance, $html);
             }
         }
-        return $html;
+
+        return Html::applyScriptNonce($html);
     }
 
-}
+}