From 53d4538eeda9203b880f48fddd1bde02f95a9496 Mon Sep 17 00:00:00 2001 From: zero-24 Date: Sat, 18 Apr 2020 11:44:26 +0200 Subject: [PATCH 1/5] make sure there rendere does not manipulate the inline CSS and JS --- libraries/src/Document/Renderer/Html/ScriptsRenderer.php | 6 +++--- libraries/src/Document/Renderer/Html/StylesRenderer.php | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libraries/src/Document/Renderer/Html/ScriptsRenderer.php b/libraries/src/Document/Renderer/Html/ScriptsRenderer.php index dc764b10c36d8..6bd17cea7ea55 100644 --- a/libraries/src/Document/Renderer/Html/ScriptsRenderer.php +++ b/libraries/src/Document/Renderer/Html/ScriptsRenderer.php @@ -256,7 +256,7 @@ private function renderInlineElement($item) : string $buffer .= $tab . 'renderAttributes($attribs); - $buffer .= '>' . $lnEnd; + $buffer .= '>'; // This is for full XHTML support. if ($this->_doc->_mime !== 'text/html') @@ -264,7 +264,7 @@ private function renderInlineElement($item) : string $buffer .= $tab . $tab . '//_doc->_mime !== 'text/html') @@ -272,7 +272,7 @@ private function renderInlineElement($item) : string $buffer .= $tab . $tab . '//]]>' . $lnEnd; } - $buffer .= $tab . '' . $lnEnd; + $buffer .= '' . $lnEnd; return $buffer; } diff --git a/libraries/src/Document/Renderer/Html/StylesRenderer.php b/libraries/src/Document/Renderer/Html/StylesRenderer.php index c8bb3d8c184bc..0c2fb650edf01 100644 --- a/libraries/src/Document/Renderer/Html/StylesRenderer.php +++ b/libraries/src/Document/Renderer/Html/StylesRenderer.php @@ -250,7 +250,7 @@ private function renderInlineElement($item) : string $buffer .= $tab . 'renderAttributes($attribs); - $buffer .= '>' . $lnEnd; + $buffer .= '>'; // This is for full XHTML support. if ($this->_doc->_mime !== 'text/html') @@ -258,7 +258,7 @@ private function renderInlineElement($item) : string $buffer .= $tab . $tab . '/*_doc->_mime !== 'text/html') @@ -266,7 +266,7 @@ private function renderInlineElement($item) : string $buffer .= $tab . $tab . '/*]]>*/' . $lnEnd; } - $buffer .= $tab . '' . $lnEnd; + $buffer .= '' . $lnEnd; return $buffer; } From e2bf53a122bfad313b3d3a06508ddacdd48eb0f6 Mon Sep 17 00:00:00 2001 From: zero-24 Date: Sat, 18 Apr 2020 11:50:33 +0200 Subject: [PATCH 2/5] extend the array patch for styles too --- plugins/system/httpheaders/httpheaders.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/plugins/system/httpheaders/httpheaders.php b/plugins/system/httpheaders/httpheaders.php index 12dba0d9ff0ff..8b97a90929753 100644 --- a/plugins/system/httpheaders/httpheaders.php +++ b/plugins/system/httpheaders/httpheaders.php @@ -175,7 +175,10 @@ public function applyHashesToCspRule(): void foreach ($inlineStyles as $type => $styleContent) { - $styleHashes[] = "'sha256-" . base64_encode(hash('sha256', $styleContent, true)) . "'"; + foreach ($styles as $hash => $styleContent) + { + $styleHashes[] = "'sha256-" . base64_encode(hash('sha256', $styleContent, true)) . "'"; + } } } From da8778204b13d28f5010b257dc34756ee6a565e4 Mon Sep 17 00:00:00 2001 From: zero-24 Date: Sat, 18 Apr 2020 12:07:40 +0200 Subject: [PATCH 3/5] fix auto mode --- plugins/system/httpheaders/httpheaders.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/system/httpheaders/httpheaders.php b/plugins/system/httpheaders/httpheaders.php index 8b97a90929753..3d8452299a371 100644 --- a/plugins/system/httpheaders/httpheaders.php +++ b/plugins/system/httpheaders/httpheaders.php @@ -413,12 +413,12 @@ private function compileAutomaticCspHeaderRules(): array $cspHeaderCollection = array_merge($cspHeaderCollection, array_fill_keys(['default-src'], '')); } - if (!isset($cspHeaderCollection['script-src']) && $nonceEnabled) + if (!isset($cspHeaderCollection['script-src']) && $scriptHashesEnabled) { $cspHeaderCollection = array_merge($cspHeaderCollection, array_fill_keys(['script-src'], '')); } - if (!isset($cspHeaderCollection['style-src']) && $nonceEnabled) + if (!isset($cspHeaderCollection['style-src']) && $styleHashesEnabled) { $cspHeaderCollection = array_merge($cspHeaderCollection, array_fill_keys(['style-src'], '')); } From c3a0c3a7bda901158aa72e5d6b9723ad1e020b60 Mon Sep 17 00:00:00 2001 From: zero-24 Date: Sat, 18 Apr 2020 12:08:54 +0200 Subject: [PATCH 4/5] we need to check both --- plugins/system/httpheaders/httpheaders.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/system/httpheaders/httpheaders.php b/plugins/system/httpheaders/httpheaders.php index 3d8452299a371..fd402d4c88211 100644 --- a/plugins/system/httpheaders/httpheaders.php +++ b/plugins/system/httpheaders/httpheaders.php @@ -413,12 +413,12 @@ private function compileAutomaticCspHeaderRules(): array $cspHeaderCollection = array_merge($cspHeaderCollection, array_fill_keys(['default-src'], '')); } - if (!isset($cspHeaderCollection['script-src']) && $scriptHashesEnabled) + if (!isset($cspHeaderCollection['script-src']) && ($scriptHashesEnabled || $nonceEnabled)) { $cspHeaderCollection = array_merge($cspHeaderCollection, array_fill_keys(['script-src'], '')); } - if (!isset($cspHeaderCollection['style-src']) && $styleHashesEnabled) + if (!isset($cspHeaderCollection['style-src']) && ($scriptHashesEnabled || $nonceEnabled)) { $cspHeaderCollection = array_merge($cspHeaderCollection, array_fill_keys(['style-src'], '')); } From b50d48f79ca682ad51c3406c36f1fe1dff752fcb Mon Sep 17 00:00:00 2001 From: zero-24 Date: Sat, 18 Apr 2020 12:09:57 +0200 Subject: [PATCH 5/5] styles --- plugins/system/httpheaders/httpheaders.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/system/httpheaders/httpheaders.php b/plugins/system/httpheaders/httpheaders.php index fd402d4c88211..da58c7c1a3915 100644 --- a/plugins/system/httpheaders/httpheaders.php +++ b/plugins/system/httpheaders/httpheaders.php @@ -173,7 +173,7 @@ public function applyHashesToCspRule(): void // Generate the hashes for the style-src $inlineStyles = is_array($headData['style']) ? $headData['style'] : []; - foreach ($inlineStyles as $type => $styleContent) + foreach ($inlineStyles as $type => $styles) { foreach ($styles as $hash => $styleContent) {