From e5fa7772ab4639dde9fa0a6e2480b4e4778a1926 Mon Sep 17 00:00:00 2001 From: "Greg T. Wallace" Date: Fri, 29 Mar 2024 11:46:43 -0400 Subject: [PATCH 1/3] fix: csp nonce injection when no closing tag (#16281) Not all html elements have an ending tag, for example: In such cases, the current injection func injects the nonce after the forward slash, instead of before it current result: this patch corrects the behavior to: --- packages/vite/src/node/plugins/html.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts index 19cc7b4c6cade2..4dbdb5d93b7bad 100644 --- a/packages/vite/src/node/plugins/html.ts +++ b/packages/vite/src/node/plugins/html.ts @@ -1189,8 +1189,12 @@ export function injectNonceAttributeTagHook( parseRelAttr(attr.value).some((a) => processRelType.has(a)), )) ) { + // if there is no endTag, the end of the startTag will be `/>` + // therefore, the appendOffset should be 2 in this case, instead of 1 + const appendOffset = node?.sourceCodeLocation?.endTag ? 1 : 2 + s.appendRight( - node.sourceCodeLocation!.startTag!.endOffset - 1, + node.sourceCodeLocation!.startTag!.endOffset - appendOffset, ` nonce="${nonce}"`, ) } From 67c7bd96261d9b348a46f8b929d5fba039a8ce01 Mon Sep 17 00:00:00 2001 From: "Greg T. Wallace" Date: Fri, 29 Mar 2024 17:06:58 -0400 Subject: [PATCH 2/3] fix: csp nonce injection when no closing tag (#16281) (pt. 2) Change fix method due to the way some tags are manipulated elsewhere. For example, the csp playground contains: Which is then transformed into this prior to nonce injection: There is no endTag, but the startTag no longer ends in `/>`. This is likely not ideal but this fix works around that issue. --- packages/vite/src/node/plugins/html.ts | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts index 4dbdb5d93b7bad..ba1f5eab414298 100644 --- a/packages/vite/src/node/plugins/html.ts +++ b/packages/vite/src/node/plugins/html.ts @@ -1189,9 +1189,12 @@ export function injectNonceAttributeTagHook( parseRelAttr(attr.value).some((a) => processRelType.has(a)), )) ) { - // if there is no endTag, the end of the startTag will be `/>` - // therefore, the appendOffset should be 2 in this case, instead of 1 - const appendOffset = node?.sourceCodeLocation?.endTag ? 1 : 2 + // if the closing of the start tag includes a `/`, the offset should be 2 so the nonce + // is appended prior to the `/` + const appendOffset = + html.charAt(node.sourceCodeLocation!.startTag!.endOffset - 2) === '/' + ? 2 + : 1 s.appendRight( node.sourceCodeLocation!.startTag!.endOffset - appendOffset, From ac56128111775f279223543b45a36cba785c3fed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=BF=A0=20/=20green?= Date: Mon, 1 Apr 2024 00:52:29 +0900 Subject: [PATCH 3/3] chore: update --- packages/vite/src/node/plugins/html.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts index ba1f5eab414298..232f9cc0e037a3 100644 --- a/packages/vite/src/node/plugins/html.ts +++ b/packages/vite/src/node/plugins/html.ts @@ -1192,9 +1192,7 @@ export function injectNonceAttributeTagHook( // if the closing of the start tag includes a `/`, the offset should be 2 so the nonce // is appended prior to the `/` const appendOffset = - html.charAt(node.sourceCodeLocation!.startTag!.endOffset - 2) === '/' - ? 2 - : 1 + html[node.sourceCodeLocation!.startTag!.endOffset - 2] === '/' ? 2 : 1 s.appendRight( node.sourceCodeLocation!.startTag!.endOffset - appendOffset,