FriendsOfREDAXO · skerbis · Feb 16, 2026 · Feb 16, 2026 · Feb 16, 2026 · Copilot
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # REDAXO consent_manager - Changelog
 
+## Version 5.4.1 (Entwicklung)
+
+- **Fix:** `box.php`: `outputowncss` Einstellung respektieren und fehlende CSP-Nonce für Inline-Styles ergänzen (#462).
+
 ## Version 5.4.0 - 11.02.2026
 
 - **Feature:** Inline-Consent kann nun optional auf "Session-Scope" beschränkt werden. Zustimmungen gelten dann nur, solange der Browser-Tab offen ist (via `sessionStorage`). Konfigurierbar unter Einstellungen.

diff --git a/fragments/ConsentManager/box.php b/fragments/ConsentManager/box.php
@@ -10,27 +10,32 @@
 
 use FriendsOfRedaxo\ConsentManager\Frontend;
 
+$addon = rex_addon::get('consent_manager');
 $consent_manager = new Frontend(0);
 if (is_string(rex_request::server('HTTP_HOST'))) {
     $consent_manager->setDomain(rex_request::server('HTTP_HOST'));
 }
 if (0 === count($consent_manager->texts)) {
-    echo '<div id="consent_manager-background">' . rex_view::error(rex_addon::get('consent_manager')->i18n('consent_manager_error_noconfig')) . '</div>';
+    echo '<div id="consent_manager-background">' . rex_view::error($addon->i18n('consent_manager_error_noconfig')) . '</div>';
     return;
 }
 
 // Check for CSS Framework Mode
-$cssFrameworkMode = rex_addon::get('consent_manager')->getConfig('css_framework_mode');
+$cssFrameworkMode = $addon->getConfig('css_framework_mode');
-$cssFrameworkMode = $addon->getConfig('css_framework_mode');
+$cssFrameworkMode = $addon->getConfig('css_framework_mode', '');
-$cssFrameworkMode = $addon->getConfig('css_framework_mode');
+$cssFrameworkMode = $addon->getConfig('css_framework_mode', '');
 if ($cssFrameworkMode) {
     echo $this->parse('ConsentManager/box_' . $cssFrameworkMode . '.php');
     return;
 }
 
 if (0 < count($consent_manager->cookiegroups)) : ?>
         <div tabindex="-1" class="consent_manager-background consent_manager-hidden <?= $consent_manager->boxClass ?>" id="consent_manager-background" data-domain-name="<?= $consent_manager->domainName ?>" data-version="<?= $consent_manager->version ?>" data-consentid="<?= uniqid('', true) ?>" data-cachelogid="<?= $consent_manager->cacheLogId ?>" data-nosnippet aria-hidden="true">
+            <?php
+            // Inline-CSS nur ausgeben wenn kein Framework-Modus und kein eigenes CSS aktiv ist
+            if ('' === $cssFrameworkMode && false === $addon->getConfig('outputowncss', false)) :
+            ?>
             <style nonce="<?= rex_response::getNonce() ?>">
                 #consent_manager-background {
-                    <?php if (rex_addon::get('consent_manager')->getConfig('backdrop', '1') === '0'): ?>
+                    <?php if ($addon->getConfig('backdrop', '1') === '0'): ?>
                     background: transparent !important;
                     pointer-events: none !important;
                     <?php endif; ?>
@@ -39,7 +44,7 @@
                     max-height: 90vh !important;
                     overflow-y: auto !important;
                     border-radius: 0 !important;
-                    <?php if (rex_addon::get('consent_manager')->getConfig('backdrop', '1') === '0'): ?>
+                    <?php if ($addon->getConfig('backdrop', '1') === '0'): ?>
                     pointer-events: auto !important;
                     box-shadow: 0 0 20px rgba(0,0,0,0.2) !important;
                     background: #fff !important;
@@ -69,9 +74,10 @@
                     opacity: 1;
                 }
             </style>
+            <?php endif; ?>
             <div class="consent_manager-wrapper" id="consent_manager-wrapper" tabindex="-1" role="dialog" aria-modal="true" aria-labelledby="consent_manager-headline">
                 <div class="consent_manager-header">
-                    <p class="consent_manager-headline" id="consent_manager-headline" style="margin:0; font-weight:bold; color: inherit;"><?= $consent_manager->texts['headline'] ?></p>
+                    <p class="consent_manager-headline" id="consent_manager-headline"<?php if ('' === $cssFrameworkMode && false === $addon->getConfig('outputowncss', false)) : ?> style="margin:0; font-weight:bold; color: inherit;"<?php endif; ?>><?= $consent_manager->texts['headline'] ?></p>
                     <button class="consent_manager-close" aria-label="Close" type="button">×</button>
                 </div>
                 <div class="consent_manager-wrapper-inner">

diff --git a/fragments/ConsentManager/theme_editor.php b/fragments/ConsentManager/theme_editor.php
@@ -589,7 +589,7 @@ class="btn <?= $themeBase === $key ? 'btn-primary' : 'btn-default' ?>">
 }
 </style>
 
-<script>
+<script nonce="<?= rex_response::getNonce() ?>">
 (function() {
     'use strict';
 

diff --git a/package.yml b/package.yml
@@ -1,5 +1,5 @@
 package: consent_manager
-version: "5.4.0"
+version: "5.4.1-dev"
 author: "Friends Of REDAXO"
 supportpage: https://redaxo.org/support/community/#slack