fix(security): Add missing CSP nonce attributes to script tags in box_cssjs.php (#460)

Copilot · skerbis · web-flow · commit 31e3b6423b3f · 2026-02-16T15:54:58.000+01:00
* Initial plan

* fix(security): Add missing nonce attributes to all script tags in box_cssjs.php

Co-authored-by: skerbis &lt;791247+skerbis@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: skerbis &lt;791247+skerbis@users.noreply.github.com&gt;
diff --git a/fragments/ConsentManager/box_cssjs.php b/fragments/ConsentManager/box_cssjs.php
@@ -54,7 +54,7 @@
         $googleConsentModeScriptFile = 'google_consent_mode_v2.js';
     }
     $googleConsentModeScriptUrl = $addon->getAssetsUrl($googleConsentModeScriptFile);
-    $googleConsentModeOutput .= '    <script src="' . $googleConsentModeScriptUrl . '" defer></script>' . PHP_EOL;
+    $googleConsentModeOutput .= '    <script nonce="' . rex_response::getNonce() . '" src="' . $googleConsentModeScriptUrl . '" defer></script>' . PHP_EOL;
 
     // Debug-Script laden wenn Debug-Modus aktiviert UND User im Backend eingeloggt
     if (isset($consent_manager->domainInfo['google_consent_mode_debug'])
@@ -65,10 +65,10 @@
         // Nur für eingeloggte Backend-Benutzer
         if (rex_backend_login::hasSession() && null !== rex::getUser()) {
             $debugScriptUrl = $addon->getAssetsUrl('consent_debug.js');
-            $googleConsentModeOutput .= '    <script src="' . $debugScriptUrl . '" defer></script>' . PHP_EOL;
+            $googleConsentModeOutput .= '    <script nonce="' . rex_response::getNonce() . '" src="' . $debugScriptUrl . '" defer></script>' . PHP_EOL;
 
             // Debug-Konfiguration für JavaScript verfügbar machen
-            $googleConsentModeOutput .= '    <script>' . PHP_EOL;
+            $googleConsentModeOutput .= '    <script nonce="' . rex_response::getNonce() . '">' . PHP_EOL;
             $googleConsentModeOutput .= '        window.consentManagerDebugConfig = ' . json_encode([
                 'mode' => $consent_manager->domainInfo['google_consent_mode_enabled'],
                 'auto_mapping' => 'auto' === $consent_manager->domainInfo['google_consent_mode_enabled'],
@@ -164,8 +164,8 @@
     'mode' => 'opt-in',
 ];
 
-$consentparams['outputjs'] .= '    <script>var consent_manager_parameters = ' . json_encode($jsConfig, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) . ';</script>' . PHP_EOL;
-$consentparams['outputjs'] .= '    <script src="' . rex_url::frontendController($_params) . '" id="consent_manager_script" defer></script>' . PHP_EOL;
+$consentparams['outputjs'] .= '    <script nonce="' . rex_response::getNonce() . '">var consent_manager_parameters = ' . json_encode($jsConfig, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) . ';</script>' . PHP_EOL;
+$consentparams['outputjs'] .= '    <script nonce="' . rex_response::getNonce() . '" src="' . rex_url::frontendController($_params) . '" id="consent_manager_script" defer></script>' . PHP_EOL;
 
 // Ausgabe Google Consent Mode v2 (vor allem anderen)
 echo $googleConsentModeOutput;
