Fixed nonce logic and test cases

lib/chartkick/helper.rb

@@ -47,7 +47,7 @@ def chartkick_chart(klass, data_source, nonce: true, **options)
       # content_for: nil must override default
       content_for = options.key?(:content_for) ? options.delete(:content_for) : Chartkick.content_for
 
-      if nonce
+      if nonce == true
         # Secure Headers also defines content_security_policy_nonce but it takes an argument
         # Rails 5.2 overrides this method, but earlier versions do not
         if respond_to?(:content_security_policy_nonce) && (content_security_policy_nonce rescue nil)
@@ -56,6 +56,8 @@ def chartkick_chart(klass, data_source, nonce: true, **options)
         elsif respond_to?(:content_security_policy_script_nonce)
           # Secure Headers
           nonce = content_security_policy_script_nonce
+        else
+          nonce = nil
         end
       end
       nonce_html = nonce ? " nonce=\"#{ERB::Util.html_escape(nonce)}\"" : nil

test/chartkick_test.rb

@@ -43,13 +43,13 @@ def test_timeline
   def test_escape_data
     bad_data = "</script><script>alert('xss')</script>"
     assert_includes column_chart(bad_data), "\\u003cscript\\u003e"
-    refute_includes column_chart(bad_data), "<script>"
+    refute_includes column_chart(bad_data), "<script>alert"
   end
 
   def test_escape_options
     bad_options = {xss: "</script><script>alert('xss')</script>"}
     assert_includes column_chart([], **bad_options), "\\u003cscript\\u003e"
-    refute_includes column_chart([], **bad_options), "<script>"
+    refute_includes column_chart([], **bad_options), "<script>alert"
   end
 
   def test_options_not_mutated