deepStateMirrors/tabi
1
0
Fork 1
mirror of https://github.com/welpo/tabi.git synced 2025-10-10 23:38:53 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix: prevent HTML escaping of joined CSP strings

Browse source
This commit is contained in:
kanuba 2025-08-05 05:44:17 -04:00
parent 3a40ae5a83
commit 641f376b83
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
templates/partials/content_security_policy.html
View file

@ -74,19 +74,19 @@ content="default-src 'self'
{%- for domain in config.extra.allowed_domains -%}
{%- if domain.directive == "connect-src" -%}
{%- set configured_connect_src = domain.domains | join(sep=' ') -%}
{%- set configured_connect_src = domain.domains | join(sep=' ') | safe -%}
{%- set_global connect_src = connect_src ~ " " ~ configured_connect_src -%}
{%- continue -%}
{%- endif -%}
{%- if domain.directive == "script-src" -%}
{%- set configured_script_src = domain.domains | join(sep=' ') -%}
{%- set configured_script_src = domain.domains | join(sep=' ') | safe -%}
{%- set_global script_src = script_src ~ " " ~ configured_script_src -%}
{%- continue -%}
{%- endif -%}
{#- Handle directives that are not connect-src -#}
{{ domain.directive }} {{ domain.domains | join(sep=' ') -}}
{{ domain.directive }} {{ domain.domains | join(sep=' ') | safe -}}
{%- if domain.directive == "style-src" -%}
{%- if utterances_enabled or hyvortalk_enabled or mermaid_enabled %} 'unsafe-inline'