aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--core/templates/layout.base.php9
-rw-r--r--core/templates/layout.guest.php9
-rw-r--r--core/templates/layout.user.php9
-rw-r--r--lib/private/legacy/template.php4
-rw-r--r--lib/private/legacy/template/functions.php37
5 files changed, 44 insertions, 24 deletions
diff --git a/core/templates/layout.base.php b/core/templates/layout.base.php
index e2e61e67e2c..7eb1cf5ffa4 100644
--- a/core/templates/layout.base.php
+++ b/core/templates/layout.base.php
@@ -12,20 +12,13 @@
<link rel="icon" href="<?php print_unescaped(image_path('', 'favicon.ico')); /* IE11+ supports png */ ?>">
<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path('', 'favicon-touch.png')); ?>">
<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path('', 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
- <?php if (isset($_['inline_ocjs'])): ?>
- <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" type="text/javascript">
- <?php print_unescaped($_['inline_ocjs']); ?>
- </script>
- <?php endif; ?>
<?php foreach ($_['cssfiles'] as $cssfile): ?>
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>">
<?php endforeach; ?>
<?php foreach($_['printcssfiles'] as $cssfile): ?>
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print">
<?php endforeach; ?>
- <?php foreach ($_['jsfiles'] as $jsfile): ?>
- <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
- <?php endforeach; ?>
+ <?php emit_script_loading_tags($_); ?>
<?php print_unescaped($_['headers']); ?>
</head>
<body id="body-public">
diff --git a/core/templates/layout.guest.php b/core/templates/layout.guest.php
index 2c2373d53aa..dc56edb0061 100644
--- a/core/templates/layout.guest.php
+++ b/core/templates/layout.guest.php
@@ -13,20 +13,13 @@
<link rel="icon" href="<?php print_unescaped(image_path('', 'favicon.ico')); /* IE11+ supports png */ ?>">
<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path('', 'favicon-touch.png')); ?>">
<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path('', 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
- <?php if (isset($_['inline_ocjs'])): ?>
- <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" type="text/javascript">
- <?php print_unescaped($_['inline_ocjs']); ?>
- </script>
- <?php endif; ?>
<?php foreach($_['cssfiles'] as $cssfile): ?>
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>">
<?php endforeach; ?>
<?php foreach($_['printcssfiles'] as $cssfile): ?>
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print">
<?php endforeach; ?>
- <?php foreach($_['jsfiles'] as $jsfile): ?>
- <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
- <?php endforeach; ?>
+ <?php emit_script_loading_tags($_); ?>
<?php print_unescaped($_['headers']); ?>
</head>
<body id="<?php p($_['bodyid']);?>">
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index 978534b869c..aad9875f375 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -21,20 +21,13 @@
<link rel="apple-touch-icon-precomposed" href="<?php print_unescaped(image_path($_['appid'], 'favicon-touch.png')); ?>">
<link rel="mask-icon" sizes="any" href="<?php print_unescaped(image_path($_['appid'], 'favicon-mask.svg')); ?>" color="<?php p($theme->getColorPrimary()); ?>">
<link rel="manifest" href="<?php print_unescaped(image_path($_['appid'], 'manifest.json')); ?>">
- <?php if (isset($_['inline_ocjs'])): ?>
- <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" type="text/javascript">
- <?php print_unescaped($_['inline_ocjs']); ?>
- </script>
- <?php endif; ?>
<?php foreach($_['cssfiles'] as $cssfile): ?>
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>">
<?php endforeach; ?>
<?php foreach($_['printcssfiles'] as $cssfile): ?>
<link rel="stylesheet" href="<?php print_unescaped($cssfile); ?>" media="print">
<?php endforeach; ?>
- <?php foreach($_['jsfiles'] as $jsfile): ?>
- <script nonce="<?php p(\OC::$server->getContentSecurityPolicyNonceManager()->getNonce()) ?>" src="<?php print_unescaped($jsfile); ?>"></script>
- <?php endforeach; ?>
+ <?php emit_script_loading_tags($_); ?>
<?php print_unescaped($_['headers']); ?>
</head>
<body id="<?php p($_['bodyid']);?>">
diff --git a/lib/private/legacy/template.php b/lib/private/legacy/template.php
index b4c69327438..4f7c11d0b64 100644
--- a/lib/private/legacy/template.php
+++ b/lib/private/legacy/template.php
@@ -12,6 +12,7 @@
* @author Joas Schilling <coding@schilljs.com>
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
* @author Lukas Reschke <lukas@statuscode.ch>
+ * @author Michael Letzgus <develope@michael-letzgus.de>
* @author Morris Jobke <hey@morrisjobke.de>
* @author Raghu Nayyar <hey@raghunayyar.com>
* @author Robin Appelman <robin@icewind.nl>
@@ -208,6 +209,9 @@ class OC_Template extends \OC\Template\Base {
$headers = '';
foreach(OC_Util::$headers as $header) {
$headers .= '<'.\OCP\Util::sanitizeHTML($header['tag']);
+ if ( strcasecmp($header['tag'], 'script') === 0 && in_array('src', array_map('strtolower', array_keys($header['attributes']))) ) {
+ $headers .= ' defer';
+ }
foreach($header['attributes'] as $name=>$value) {
$headers .= ' '.\OCP\Util::sanitizeHTML($name).'="'.\OCP\Util::sanitizeHTML($value).'"';
}
diff --git a/lib/private/legacy/template/functions.php b/lib/private/legacy/template/functions.php
index 7814918b815..06eb512b54f 100644
--- a/lib/private/legacy/template/functions.php
+++ b/lib/private/legacy/template/functions.php
@@ -7,6 +7,7 @@
* @author Joas Schilling <coding@schilljs.com>
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
* @author Lukas Reschke <lukas@statuscode.ch>
+ * @author Michael Letzgus <develope@michael-letzgus.de>
* @author Morris Jobke <hey@morrisjobke.de>
* @author Robin McCorkell <robin@mccorkell.me.uk>
* @author Roeland Jago Douma <roeland@famdouma.nl>
@@ -38,6 +39,42 @@ function p($string) {
}
/**
+ * Prints a <script> tag with nonce and defer depending on config
+ * @param string $src the source URL, ignored when empty
+ * @param string $script_content the inline script content, ignored when empty
+ * @param bool $defer_flag deferred loading or not
+*/
+function emit_script_tag($src, $script_content) {
+ $defer_str=' defer';
+ $s='<script nonce="' . \OC::$server->getContentSecurityPolicyNonceManager()->getNonce() . '"';
+ if (!empty($src)) {
+ // emit script tag for deferred loading from $src
+ $s.=$defer_str.' src="' . $src .'">';
+ } else if (!empty($script_content)) {
+ // emit script tag for inline script from $script_content without defer (see MDN)
+ $s.=">\n".$script_content."\n";
+ } else {
+ // no $src nor $src_content, really useless empty tag
+ $s.='>';
+ }
+ $s.='</script>';
+ print_unescaped($s."\n");
+}
+
+/**
+ * Print all <script> tags for loading JS
+ * @param hash $obj all the script information from template
+*/
+function emit_script_loading_tags($obj) {
+ if (!empty($obj['inline_ocjs'])) {
+ emit_script_tag('', $obj['inline_ocjs']);
+ }
+ foreach($obj['jsfiles'] as $jsfile) {
+ emit_script_tag($jsfile, '');
+ }
+}
+
+/**
* Prints an unsanitized string - usage of this function may result into XSS.
* Consider using p() instead.
* @param string|array $string the string which will be printed as it is