From a9716ea13e421c956ddb54f43e7e5483904621a0 Mon Sep 17 00:00:00 2001
From: Thomas Skerbis <thomas.skerbis@mac.com>
Date: Mon, 16 Feb 2026 16:55:14 +0100
Subject: [PATCH 1/2] fix: respect outputowncss setting and add missing CSP
 nonce

Fixes #458: Inline CSS and style attributes now only output when 'Use custom CSS' is disabled
- Wrap style block in conditional check for outputowncss and css_framework_mode
- Make inline style attribute on headline element conditional
- Reuse $addon variable to avoid repeated rex_addon::get() calls

Fixes #459: Add missing CSP nonce attribute to script tag in theme_editor.php
- Backend script now has nonce attribute for CSP compliance

Performance:
- Store rex_addon::get('consent_manager') in $addon variable
- Reuse $cssFrameworkMode variable instead of calling getConfig again
---
 fragments/ConsentManager/box.php          | 16 +++++++++++-----
 fragments/ConsentManager/theme_editor.php |  2 +-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/fragments/ConsentManager/box.php b/fragments/ConsentManager/box.php
index 23c596a2..ea9af340 100644
--- a/fragments/ConsentManager/box.php
+++ b/fragments/ConsentManager/box.php
@@ -10,17 +10,18 @@
 
 use FriendsOfRedaxo\ConsentManager\Frontend;
 
+$addon = rex_addon::get('consent_manager');
 $consent_manager = new Frontend(0);
 if (is_string(rex_request::server('HTTP_HOST'))) {
     $consent_manager->setDomain(rex_request::server('HTTP_HOST'));
 }
 if (0 === count($consent_manager->texts)) {
-    echo '<div id="consent_manager-background">' . rex_view::error(rex_addon::get('consent_manager')->i18n('consent_manager_error_noconfig')) . '</div>';
+    echo '<div id="consent_manager-background">' . rex_view::error($addon->i18n('consent_manager_error_noconfig')) . '</div>';
     return;
 }
 
 // Check for CSS Framework Mode
-$cssFrameworkMode = rex_addon::get('consent_manager')->getConfig('css_framework_mode');
+$cssFrameworkMode = $addon->getConfig('css_framework_mode');
 if ($cssFrameworkMode) {
     echo $this->parse('ConsentManager/box_' . $cssFrameworkMode . '.php');
     return;
@@ -28,9 +29,13 @@
 
 if (0 < count($consent_manager->cookiegroups)) : ?>
         <div tabindex="-1" class="consent_manager-background consent_manager-hidden <?= $consent_manager->boxClass ?>" id="consent_manager-background" data-domain-name="<?= $consent_manager->domainName ?>" data-version="<?= $consent_manager->version ?>" data-consentid="<?= uniqid('', true) ?>" data-cachelogid="<?= $consent_manager->cacheLogId ?>" data-nosnippet aria-hidden="true">
+            <?php
+            // Inline-CSS nur ausgeben wenn kein Framework-Modus und kein eigenes CSS aktiv ist
+            if ('' === $cssFrameworkMode && false === $addon->getConfig('outputowncss', false)) :
+            ?>
             <style nonce="<?= rex_response::getNonce() ?>">
                 #consent_manager-background {
-                    <?php if (rex_addon::get('consent_manager')->getConfig('backdrop', '1') === '0'): ?>
+                    <?php if ($addon->getConfig('backdrop', '1') === '0'): ?>
                     background: transparent !important;
                     pointer-events: none !important;
                     <?php endif; ?>
@@ -39,7 +44,7 @@
                     max-height: 90vh !important;
                     overflow-y: auto !important;
                     border-radius: 0 !important;
-                    <?php if (rex_addon::get('consent_manager')->getConfig('backdrop', '1') === '0'): ?>
+                    <?php if ($addon->getConfig('backdrop', '1') === '0'): ?>
                     pointer-events: auto !important;
                     box-shadow: 0 0 20px rgba(0,0,0,0.2) !important;
                     background: #fff !important;
@@ -69,9 +74,10 @@
                     opacity: 1;
                 }
             </style>
+            <?php endif; ?>
             <div class="consent_manager-wrapper" id="consent_manager-wrapper" tabindex="-1" role="dialog" aria-modal="true" aria-labelledby="consent_manager-headline">
                 <div class="consent_manager-header">
-                    <p class="consent_manager-headline" id="consent_manager-headline" style="margin:0; font-weight:bold; color: inherit;"><?= $consent_manager->texts['headline'] ?></p>
+                    <p class="consent_manager-headline" id="consent_manager-headline"<?php if ('' === $cssFrameworkMode && false === $addon->getConfig('outputowncss', false)) : ?> style="margin:0; font-weight:bold; color: inherit;"<?php endif; ?>><?= $consent_manager->texts['headline'] ?></p>
                     <button class="consent_manager-close" aria-label="Close" type="button">×</button>
                 </div>
                 <div class="consent_manager-wrapper-inner">
diff --git a/fragments/ConsentManager/theme_editor.php b/fragments/ConsentManager/theme_editor.php
index f7079478..b0702a03 100644
--- a/fragments/ConsentManager/theme_editor.php
+++ b/fragments/ConsentManager/theme_editor.php
@@ -589,7 +589,7 @@ class="btn <?= $themeBase === $key ? 'btn-primary' : 'btn-default' ?>">
 }
 </style>
 
-<script>
+<script nonce="<?= rex_response::getNonce() ?>">
 (function() {
     'use strict';
     

From f7f7bb473aed7c0b032d3120b97b322cb3ea85dd Mon Sep 17 00:00:00 2001
From: Thomas Skerbis <thomas.skerbis@mac.com>
Date: Mon, 16 Feb 2026 17:00:31 +0100
Subject: [PATCH 2/2] Bump version to 5.4.1-dev and add changelog entry for
 issue #462

---
 CHANGELOG.md | 4 ++++
 package.yml  | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13d490f1..a15e2e60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # REDAXO consent_manager - Changelog
 
+## Version 5.4.1 (Entwicklung)
+
+- **Fix:** `box.php`: `outputowncss` Einstellung respektieren und fehlende CSP-Nonce für Inline-Styles ergänzen (#462).
+
 ## Version 5.4.0 - 11.02.2026
 
 - **Feature:** Inline-Consent kann nun optional auf "Session-Scope" beschränkt werden. Zustimmungen gelten dann nur, solange der Browser-Tab offen ist (via `sessionStorage`). Konfigurierbar unter Einstellungen.
diff --git a/package.yml b/package.yml
index 3b7d02bc..4a453189 100644
--- a/package.yml
+++ b/package.yml
@@ -1,5 +1,5 @@
 package: consent_manager
-version: "5.4.0"
+version: "5.4.1-dev"
 author: "Friends Of REDAXO"
 supportpage: https://redaxo.org/support/community/#slack