Skip to content

Commit

Permalink
strip_tags was too agressive
Browse files Browse the repository at this point in the history
Replaced with a regex that simply grabs whatever is inside the script. This is safer for e.g. variables that contain (pseudo)html
  • Loading branch information
Firesphere authored Sep 23, 2023
1 parent 7f234ad commit f345b4e
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions src/View/CSPBackend.php
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,11 @@ public function insertHeadTags($html, $uniquenessID = null): void
$type = $this->getTagType($html);
if ($type === 'javascript') {
$options = $this->getOptions($html);
static::$headJS[$uniquenessID] = [strip_tags($html) => $options];
ControllerCSPExtension::addJS(strip_tags($html));
// Grab everything between the script tags. All matches are okay, but the last one is the actual script content
preg_match('/<script (.*?)>(.*?)<\/script>/s', $html, $match);
$scriptContent = end($match);
static::$headJS[$uniquenessID] = [$scriptContent => $options];
ControllerCSPExtension::addJS($scriptContent);
} elseif ($type === 'css') {
$options = $this->getOptions($html); // SimpleXML does it's job here, we see the outcome
static::$headCSS[$uniquenessID] = [strip_tags($html) => $options];
Expand Down Expand Up @@ -96,7 +99,7 @@ public function getTagType($html): ?string
*/
protected function getOptions($html): array
{
$doc = simplexml_load_string($html); // SimpleXML does it's job here, we see the outcome
$doc = simplexml_load_string(str_replace('\\', '', $html)); // SimpleXML does it's job here, we see the outcome
$option = [];
foreach ($doc->attributes() as $key => $attribute) {
$option[$key] = (string)$attribute; // Add each option as a string
Expand Down

0 comments on commit f345b4e

Please sign in to comment.