Merge pull request #4220 from dokuwiki/csp-nonce

CSP nonce handling

inc/Ui/Editor.php

@@ -150,7 +150,7 @@ public function show()
         // start editor html output
         if ($wr) {
             // sets changed to true when previewed
-            echo '<script>/*<![CDATA[*/textChanged = ' . ($mod ? 'true' : 'false') . '/*!]]>*/</script>';
+            tpl_inlineScript('textChanged = ' . ($mod ? 'true' : 'false') . ';');
         }
 
         // print intro locale text (edit, rditrev, or read.txt)

inc/template.php

@@ -379,6 +379,7 @@ function tpl_metaheaders($alt = true)
     }
     jsinfo();
     $script .= 'var JSINFO = ' . json_encode($JSINFO, JSON_THROW_ON_ERROR) . ';';
+    $script .= '(function(H){H.className=H.className.replace(/\bno-js\b/,\'js\')})(document.documentElement);';
     $head['script'][] = ['_data' => $script];
 
     // load jquery
@@ -411,39 +412,58 @@ function tpl_metaheaders($alt = true)
  * For tags having a body attribute specify the body data in the special
  * attribute '_data'. This field will NOT BE ESCAPED automatically.
  *
+ * Inline scripts will use any nonce provided in the environment variable 'NONCE'.
+ *
  * @param array $data
  *
  * @author Andreas Gohr <andi@splitbrain.org>
  */
 function _tpl_metaheaders_action($data)
 {
+    $nonce = getenv('NONCE');
     foreach ($data as $tag => $inst) {
-        if ($tag == 'script') {
-            echo "<!--[if gte IE 9]><!-->\n"; // no scripts for old IE
-        }
         foreach ($inst as $attr) {
             if (empty($attr)) {
                 continue;
             }
+            if ($nonce && $tag == 'script' && !empty($attr['_data'])) {
+                $attr['nonce'] = $nonce; // add nonce to inline script tags
+            }
             echo '<', $tag, ' ', buildAttributes($attr);
             if (isset($attr['_data']) || $tag == 'script') {
-                if ($tag == 'script' && isset($attr['_data']))
-                    $attr['_data'] = "/*<![CDATA[*/" .
-                        $attr['_data'] .
-                        "\n/*!]]>*/";
-
                 echo '>', $attr['_data'] ?? '', '</', $tag, '>';
             } else {
                 echo '/>';
             }
             echo "\n";
         }
-        if ($tag == 'script') {
-            echo "<!--<![endif]-->\n";
-        }
     }
 }
 
+/**
+ * Output the given script as inline script tag
+ *
+ * This function will add the nonce attribute if a nonce is available.
+ *
+ * The script is NOT automatically escaped!
+ *
+ * @param string $script
+ * @param bool $return Return or print directly?
+ * @return string|void
+ */
+function tpl_inlineScript($script, $return = false)
+{
+    $nonce = getenv('NONCE');
+    if ($nonce) {
+        $script = '<script nonce="' . $nonce . '">' . $script . '</script>';
+    } else {
+        $script = '<script>' . $script . '</script>';
+    }
+
+    if ($return) return $script;
+    echo $script;
+}
+
 /**
  * Print a link
  *

lib/tpl/dokuwiki/detail.php

@@ -19,7 +19,6 @@
         <?php echo hsc(tpl_img_getTag('IPTC.Headline', $IMG))?>
         [<?php echo strip_tags($conf['title'])?>]
     </title>
-    <script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
     <?php tpl_metaheaders()?>
     <meta name="viewport" content="width=device-width,initial-scale=1" />
     <?php echo tpl_favicon(['favicon', 'mobile']) ?>

lib/tpl/dokuwiki/main.php

@@ -18,7 +18,6 @@
 <head>
     <meta charset="utf-8" />
     <title><?php tpl_pagetitle() ?> [<?php echo strip_tags($conf['title']) ?>]</title>
-    <script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
     <?php tpl_metaheaders() ?>
     <meta name="viewport" content="width=device-width,initial-scale=1" />
     <?php echo tpl_favicon(['favicon', 'mobile']) ?>

lib/tpl/dokuwiki/mediamanager.php

@@ -18,7 +18,6 @@
         <?php echo hsc($lang['mediaselect'])?>
         [<?php echo strip_tags($conf['title'])?>]
     </title>
-    <script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
     <?php tpl_metaheaders()?>
     <meta name="viewport" content="width=device-width,initial-scale=1" />
     <?php echo tpl_favicon(['favicon', 'mobile']) ?>