zloy_linux/blog.zlinux.ru
3
0
Fork 0
Code Issues Pull Requests Activity

♻️ refactor: prevent HTML escaping of joined CSP strings (#553)

Browse Source
This commit is contained in:
Aleksandr Tenkoff
2025-08-11 18:20:50 +07:00
parent 762c309760
commit ddf2c54880
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
themes/tabi/templates/partials/content_security_policy.html
View File

@@ -75,19 +75,19 @@ content="default-src 'self'
{%- for domain in config.extra.allowed_domains -%} {%- for domain in config.extra.allowed_domains -%}
{%- if domain.directive == "connect-src" -%} {%- if domain.directive == "connect-src" -%}
{%- set configured_connect_src = domain.domains | join(sep=' ') -%} {%- set configured_connect_src = domain.domains | join(sep=' ') | safe -%}
{%- set_global connect_src = connect_src ~ " " ~ configured_connect_src -%} {%- set_global connect_src = connect_src ~ " " ~ configured_connect_src -%}
{%- continue -%} {%- continue -%}
{%- endif -%} {%- endif -%}
{%- if domain.directive == "script-src" -%} {%- if domain.directive == "script-src" -%}
{%- set configured_script_src = domain.domains | join(sep=' ') -%} {%- set configured_script_src = domain.domains | join(sep=' ') | safe -%}
{%- set_global script_src = script_src ~ " " ~ configured_script_src -%} {%- set_global script_src = script_src ~ " " ~ configured_script_src -%}
{%- continue -%} {%- continue -%}
{%- endif -%} {%- endif -%}
{#- Handle directives that are not connect-src -#} {#- Handle directives that are not connect-src -#}
{{ domain.directive }} {{ domain.domains | join(sep=' ') -}} {{ domain.directive }} {{ domain.domains | join(sep=' ') | safe -}}
{%- if domain.directive == "style-src" -%} {%- if domain.directive == "style-src" -%}
{%- if utterances_enabled or hyvortalk_enabled or mermaid_enabled %} 'unsafe-inline' {%- if utterances_enabled or hyvortalk_enabled or mermaid_enabled %} 'unsafe-inline'