Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix(nonce): correctly detect valid script elements #611

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Fix(nonce): correctly detect valid script elements #611

wants to merge 2 commits into from

Conversation

vejja
Copy link
Collaborator

@vejja vejja commented Mar 19, 2025

Closes #594
Closes #610

Types of changes

  • Bug fix (a non-breaking change which fixes an issue)
  • New feature (a non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Description

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes (if not applicable, please state why)

@vercel Vercel
Copy link

vercel bot commented Mar 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
nuxt-security ✅ Ready (Inspect) Visit Preview 💬 Add feedback Mar 19, 2025 8:12pm

@vejja
Replace regex-based parsing with a recursive algorithm to match HTML …
5b284ac 
…element pairs and add `nonce` attributes to `<script>` tags.

* Implement `parseHtmlRecursively` function to parse HTML and add `nonce` attributes recursively.
* Implement `addNonceToAttributes` function to handle `nonce` attribute addition.
* Update `addNonceToElement` function to use the new recursive parsing approach.
* Ensure the algorithm matches HTML element pairs recursively from the outermost to the innermost elements.
@vejja vejja requested a review from Copilot March 20, 2025 08:32
Copilot
Copilot AI reviewed Mar 20, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

A bug fix PR that refactors nonce injection for HTML tags in SSR mode to correctly detect valid script elements.

  • Refactored nonce injection by replacing duplicated regex-based replacements with a reusable helper function (addNonceToElement).
  • Added new helper functions (parseHtmlRecursively and addNonceToAttributes) for improved HTML tag processing.
Comments suppressed due to low confidence (1)

src/runtime/nitro/plugins/40-cspSsrNonce.ts:74

  • Consider updating the regex to handle self-closing tags (e.g. <link ... />) by allowing an optional '/' before the closing '>'.
const tagRegex = new RegExp(`<${tagName}([^>]*?)>`, 'gi')

src/runtime/nitro/plugins/40-cspSsrNonce.ts
if (nonceRegex.test(rest)) {
return match.replace(nonceRegex, `nonce="${nonce}"`)
}
return `<${tagName} nonce="${nonce}"${rest}>`
Copy link
Preview

Copilot AI Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ensure that a space is preserved between the injected nonce attribute and the rest of the attributes, especially if 'rest' does not start with a space.

Suggested change
return `<${tagName} nonce="${nonce}"${rest}>`
return `<${tagName} nonce="${nonce}"${rest.startsWith(' ') ? rest : ' ' + rest}>`

Copilot is powered by AI, so mistakes are possible. Review output carefully before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@vejja