X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FHtml.php;h=019e0785f9dbab8fc06bf51734b99a5e00a6fd15;hb=5e3ecf6a4e98c4416a08411896f2fca975071327;hp=dfd80a8c434dd7ef0bd00a9aa7dcefc334e882eb;hpb=fc5dced1ce8151b0354e0efda28a7542713f9cbe;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Html.php b/includes/Html.php
index dfd80a8c43..019e0785f9 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -557,10 +557,18 @@ class Html {
 	 * literal "</script>" or (for XML) literal "]]>".
 	 *
 	 * @param string $contents JavaScript
+	 * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
 	 * @return string Raw HTML
 	 */
-	public static function inlineScript( $contents ) {
+	public static function inlineScript( $contents, $nonce = null ) {
 		$attrs = [];
+		if ( $nonce !== null ) {
+			$attrs['nonce'] = $nonce;
+		} else {
+			if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+				wfWarn( "no nonce set on script. CSP will break it" );
+			}
+		}
 
 		if ( preg_match( '/[<&]/', $contents ) ) {
 			$contents = "/*<![CDATA[*/$contents/*]]>*/";
@@ -574,10 +582,18 @@ class Html {
 	 * "<script src=foo.js></script>".
 	 *
 	 * @param string $url
+	 * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
 	 * @return string Raw HTML
 	 */
-	public static function linkedScript( $url ) {
+	public static function linkedScript( $url, $nonce = null ) {
 		$attrs = [ 'src' => $url ];
+		if ( $nonce !== null ) {
+			$attrs['nonce'] = $nonce;
+		} else {
+			if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+				wfWarn( "no nonce set on script. CSP will break it" );
+			}
+		}
 
 		return self::element( 'script', $attrs );
 	}
@@ -589,9 +605,12 @@ class Html {
 	 *
 	 * @param string $contents CSS
 	 * @param string $media A media type string, like 'screen'
+	 * @param array $attribs (since 1.31) Associative array of attributes, e.g., [
+	 *   'href' => 'https://www.mediawiki.org/' ]. See expandAttributes() for
+	 *   further documentation.
 	 * @return string Raw HTML
 	 */
-	public static function inlineStyle( $contents, $media = 'all' ) {
+	public static function inlineStyle( $contents, $media = 'all', $attribs = [] ) {
 		// Don't escape '>' since that is used
 		// as direct child selector.
 		// Remember, in css, there is no "x" for hexadecimal escapes, and
@@ -609,7 +628,7 @@ class Html {
 
 		return self::rawElement( 'style', [
 			'media' => $media,
-		], $contents );
+		] + $attribs, $contents );
 	}
 
 	/**