Merge "Deprecate overriding SearchEngine::search*"

[lhc/web/wiklou.git] / includes / Html.php

diff --git a/includes/Html.php b/includes/Html.php
index 3bcf131..019e078 100644 (file)
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -557,10 +557,18 @@ class Html {
         * literal "</script>" or (for XML) literal "]]>".
         *
         * @param string $contents JavaScript
+        * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
         * @return string Raw HTML
         */
-       public static function inlineScript( $contents ) {
+       public static function inlineScript( $contents, $nonce = null ) {
                $attrs = [];
+               if ( $nonce !== null ) {
+                       $attrs['nonce'] = $nonce;
+               } else {
+                       if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+                               wfWarn( "no nonce set on script. CSP will break it" );
+                       }
+               }
 
                if ( preg_match( '/[<&]/', $contents ) ) {
                        $contents = "/*<![CDATA[*/$contents/*]]>*/";
@@ -574,10 +582,18 @@ class Html {
         * "<script src=foo.js></script>".
         *
         * @param string $url
+        * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
         * @return string Raw HTML
         */
-       public static function linkedScript( $url ) {
+       public static function linkedScript( $url, $nonce = null ) {
                $attrs = [ 'src' => $url ];
+               if ( $nonce !== null ) {
+                       $attrs['nonce'] = $nonce;
+               } else {
+                       if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+                               wfWarn( "no nonce set on script. CSP will break it" );
+                       }
+               }
 
                return self::element( 'script', $attrs );
        }