From ddf2c54880ad6627629c45e8320fef8d139635ae Mon Sep 17 00:00:00 2001
From: zloylinux <alex@tenkoff.ru>
Date: Mon, 11 Aug 2025 18:20:50 +0700
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20refactor:=20prevent=20HTML?=
 =?UTF-8?q?=20escaping=20of=20joined=20CSP=20strings=20(#553)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 themes/tabi/templates/partials/content_security_policy.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/themes/tabi/templates/partials/content_security_policy.html b/themes/tabi/templates/partials/content_security_policy.html
index f8ec611..e619d7f 100644
--- a/themes/tabi/templates/partials/content_security_policy.html
+++ b/themes/tabi/templates/partials/content_security_policy.html
@@ -75,19 +75,19 @@ content="default-src 'self'
 
     {%- for domain in config.extra.allowed_domains -%}
         {%- if domain.directive == "connect-src" -%}
-            {%- set configured_connect_src = domain.domains | join(sep=' ') -%}
+            {%- set configured_connect_src = domain.domains | join(sep=' ') | safe -%}
             {%- set_global connect_src = connect_src ~ " " ~ configured_connect_src  -%}
             {%- continue -%}
         {%- endif -%}
 
         {%- if domain.directive == "script-src" -%}
-            {%- set configured_script_src = domain.domains | join(sep=' ') -%}
+            {%- set configured_script_src = domain.domains | join(sep=' ') | safe -%}
             {%- set_global script_src = script_src ~ " " ~ configured_script_src  -%}
             {%- continue -%}
         {%- endif -%}
 
         {#- Handle directives that are not connect-src -#}
-        {{ domain.directive }} {{ domain.domains | join(sep=' ') -}}
+        {{ domain.directive }} {{ domain.domains | join(sep=' ') | safe -}}
 
         {%- if domain.directive == "style-src" -%}
             {%- if utterances_enabled or hyvortalk_enabled or mermaid_enabled %} 'unsafe-inline'