* literal "</script>" or (for XML) literal "]]>".
*
* @param string $contents JavaScript
+ * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
* @return string Raw HTML
*/
- public static function inlineScript( $contents ) {
+ public static function inlineScript( $contents, $nonce = null ) {
$attrs = [];
+ if ( $nonce !== null ) {
+ $attrs['nonce'] = $nonce;
+ } else {
+ if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+ wfWarn( "no nonce set on script. CSP will break it" );
+ }
+ }
if ( preg_match( '/[<&]/', $contents ) ) {
$contents = "/*<![CDATA[*/$contents/*]]>*/";
* "<script src=foo.js></script>".
*
* @param string $url
+ * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
* @return string Raw HTML
*/
- public static function linkedScript( $url ) {
+ public static function linkedScript( $url, $nonce = null ) {
$attrs = [ 'src' => $url ];
+ if ( $nonce !== null ) {
+ $attrs['nonce'] = $nonce;
+ } else {
+ if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+ wfWarn( "no nonce set on script. CSP will break it" );
+ }
+ }
return self::element( 'script', $attrs );
}