Merge pull request #6611 from kenjis/fix-add-script-nonce

fix: script_tag() does not work with CSP

Author: kenjis

system/Helpers/html_helper.php

@@ -194,7 +194,9 @@ function doctype(string $type = 'html5'): string
      */
     function script_tag($src = '', bool $indexPage = false): string
     {
-        $script = '<script ';
+        $cspNonce = csp_script_nonce();
+        $cspNonce = $cspNonce ? ' ' . $cspNonce : $cspNonce;
+        $script   = '<script' . $cspNonce . ' ';
         if (! is_array($src)) {
             $src = ['src' => $src];
         }

tests/system/Helpers/HTMLHelperTest.php

@@ -11,8 +11,10 @@
 
 namespace CodeIgniter\Helpers;
 
+use CodeIgniter\Config\Factories;
 use CodeIgniter\Files\Exceptions\FileNotFoundException;
 use CodeIgniter\Test\CIUnitTestCase;
+use Config\App;
 
 /**
  * @internal
@@ -269,6 +271,28 @@ public function testScriptTagWithSrcAndAttributes()
         $this->assertSame($expected, script_tag($target));
     }
 
+    public function testScriptTagWithCsp()
+    {
+        // Reset CSP object
+        $this->resetServices();
+
+        $config             = new App();
+        $config->CSPEnabled = true;
+        Factories::injectMock('config', 'App', $config);
+
+        $target = 'http://site.com/js/mystyles.js';
+        $html   = script_tag($target);
+
+        $this->assertMatchesRegularExpression(
+            '!<script nonce="\w+?" src="http://site.com/js/mystyles.js".*?>!u',
+            $html
+        );
+
+        // Reset CSP object
+        $this->resetFactories();
+        $this->resetServices();
+    }
+
     /**
      * This test has probably no real-world value but may help detecting
      * a change in the default behaviour.