X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2FHtml.php;h=019e0785f9dbab8fc06bf51734b99a5e00a6fd15;hb=cc0fe6c4a7cfad4dcecad5372c630d804914e4b2;hp=3bcf13132f1beaa98fb01dfb15eb1feee4c233d0;hpb=3f59cb9f3a53ad28f8a95fe299c5de6abd24b453;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/Html.php b/includes/Html.php
index 3bcf13132f..019e0785f9 100644
--- a/includes/Html.php
+++ b/includes/Html.php
@@ -557,10 +557,18 @@ class Html {
 	 * literal "</script>" or (for XML) literal "]]>".
 	 *
 	 * @param string $contents JavaScript
+	 * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
 	 * @return string Raw HTML
 	 */
-	public static function inlineScript( $contents ) {
+	public static function inlineScript( $contents, $nonce = null ) {
 		$attrs = [];
+		if ( $nonce !== null ) {
+			$attrs['nonce'] = $nonce;
+		} else {
+			if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+				wfWarn( "no nonce set on script. CSP will break it" );
+			}
+		}
 
 		if ( preg_match( '/[<&]/', $contents ) ) {
 			$contents = "/*<![CDATA[*/$contents/*]]>*/";
@@ -574,10 +582,18 @@ class Html {
 	 * "<script src=foo.js></script>".
 	 *
 	 * @param string $url
+	 * @param string $nonce Nonce for CSP header, from OutputPage::getCSPNonce()
 	 * @return string Raw HTML
 	 */
-	public static function linkedScript( $url ) {
+	public static function linkedScript( $url, $nonce = null ) {
 		$attrs = [ 'src' => $url ];
+		if ( $nonce !== null ) {
+			$attrs['nonce'] = $nonce;
+		} else {
+			if ( ContentSecurityPolicy::isEnabled( RequestContext::getMain()->getConfig() ) ) {
+				wfWarn( "no nonce set on script. CSP will break it" );
+			}
+		}
 
 		return self::element( 'script', $attrs );
 	}