[BUGFIX] Add CSP nonce value to RequireJS

Resolves: #100862 Releases: main, 12.4 Change-Id: I465714a4f9d1f1dc1d194d0122e9fae5ac6fa759 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79095 Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · May 22, 2023 · 50872f2 · 50872f2
1 parent 23df312
commit 50872f2
Showing 1 changed file with 23 additions and 12 deletions.
diff --git a/typo3/sysext/core/Classes/Page/PageRenderer.php b/typo3/sysext/core/Classes/Page/PageRenderer.php
@@ -1594,22 +1594,32 @@ protected function getRequireJsLoader(): string
         }
         $requireJsUri = $this->processJsFile($this->requireJsPath . 'require.js');
         // add (probably filtered) RequireJS configuration
+        $commonAttributes = $this->nonce !== null ? ['nonce' => $this->nonce->consume()] : [];
         if ($this->getApplicationType() === 'BE') {
             $html .= sprintf(
-                '<script src="%s"></script>' . "\n",
-                htmlspecialchars($requireJsUri)
+                '<script %s></script>' . "\n",
+                GeneralUtility::implodeAttributes([
+                    ...$commonAttributes,
+                    'src' => $requireJsUri,
+                ], true)
             );
             $html .= sprintf(
-                '<script src="%s">/* %s */</script>' . "\n",
-                htmlspecialchars($this->getStreamlinedFileName('EXT:core/Resources/Public/JavaScript/require-jsconfig-handler.js', true)),
+                '<script %s>/* %s */</script>' . "\n",
+                GeneralUtility::implodeAttributes([
+                    ...$commonAttributes,
+                    'src' => $this->getStreamlinedFileName('EXT:core/Resources/Public/JavaScript/require-jsconfig-handler.js'),
+                ], true),
                 (string)json_encode($requireJsConfig, JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT | JSON_HEX_TAG)
             );
         } else {
             $html .= GeneralUtility::wrapJS('var require = ' . json_encode($requireJsConfig)) . LF;
             // directly after that, include the require.js file
             $html .= sprintf(
-                '<script src="%s"></script>' . "\n",
-                htmlspecialchars($requireJsUri)
+                '<script %s></script>' . "\n",
+                GeneralUtility::implodeAttributes([
+                    ...$commonAttributes,
+                    'src' => $requireJsUri,
+                ], true)
             );
         }
         // use (anonymous require.js loader). Used to shim ES6 modules and when not
@@ -1618,12 +1628,13 @@ protected function getRequireJsLoader(): string
             ($this->getApplicationType() === 'BE' && $this->javaScriptRenderer->hasImportMap()) ||
             !empty($requireJsConfig['typo3BaseUrl'])
         ) {
-            $html .= '<script src="'
-                . $this->getStreamlinedFileName(
-                    'EXT:core/Resources/Public/JavaScript/requirejs-loader.js',
-                    true
-                )
-                . '"></script>' . LF;
+            $html .= sprintf(
+                '<script %s></script>' . "\n",
+                GeneralUtility::implodeAttributes([
+                    ...$commonAttributes,
+                    'src' => $this->getStreamlinedFileName('EXT:core/Resources/Public/JavaScript/requirejs-loader.js'),
+                ], true)
+            );
         }
 
         return $html;