Merge pull request #6604 from kenjis/fix-safe_mailto-csp

fix: safe_mailto() does not work with CSP

Author: kenjis

system/Helpers/url_helper.php

@@ -369,7 +369,9 @@ function safe_mailto(string $email, string $title = '', $attributes = ''): strin
         $x = array_reverse($x);
 
         // improve obfuscation by eliminating newlines & whitespace
-        $output = '<script type="text/javascript">'
+        $cspNonce = csp_script_nonce();
+        $cspNonce = $cspNonce ? ' ' . $cspNonce : $cspNonce;
+        $output   = '<script type="text/javascript"' . $cspNonce . '>'
                 . 'var l=new Array();';
 
         foreach ($x as $i => $value) {

tests/system/Helpers/URLHelper/MiscUrlTest.php

@@ -468,14 +468,24 @@ public function safeMailtoPatterns()
      */
     public function testSafeMailto($expected = '', $email = '', $title = '', $attributes = '')
     {
-        $request      = Services::request($this->config);
+        $request      = Services::incomingrequest($this->config);
         $request->uri = new URI('http://example.com/');
 
         Services::injectMock('request', $request);
 
         $this->assertSame($expected, safe_mailto($email, $title, $attributes));
     }
 
+    public function testSafeMailtoWithCsp()
+    {
+        $this->config->CSPEnabled = true;
+        Factories::injectMock('config', 'App', $this->config);
+
+        $html = safe_mailto('[email protected]', 'Foo');
+
+        $this->assertMatchesRegularExpression('/<script .*?nonce="\w+?".*?>/u', $html);
+    }
+
     // Test auto_link
 
     public function autolinkUrls()