Skip to content

Fix: Respect outputowncss setting and add missing CSP nonce#463

Merged
skerbis merged 2 commits intomainfrom
fix/issues-458-459
Feb 16, 2026
Merged

Fix: Respect outputowncss setting and add missing CSP nonce#463
skerbis merged 2 commits intomainfrom
fix/issues-458-459

Conversation

@skerbis
Copy link
Member

@skerbis skerbis commented Feb 16, 2026

Fixes

Changes

box.php (Issue #458)

  • Wrap block in conditional check for and settings
  • Make inline attribute on headline element conditional
  • Only output inline CSS when custom CSS is not enabled

theme_editor.php (Issue #459)

  • Add CSP nonce attribute to backend script tag for compliance

Performance improvements

  • Store in variable
  • Reuse variable instead of calling multiple times

Testing

  • Backend: Theme Editor loads without CSP violations
  • Frontend: Cookie box respects 'Use custom CSS' setting
  • Frontend: No inline styles when custom CSS is enabled
  • Frontend: Inline styles present when custom CSS is disabled

@skerbis
fix: respect outputowncss setting and add missing CSP nonce
a9716ea 
Fixes #458: Inline CSS and style attributes now only output when 'Use custom CSS' is disabled
- Wrap style block in conditional check for outputowncss and css_framework_mode
- Make inline style attribute on headline element conditional
- Reuse $addon variable to avoid repeated rex_addon::get() calls

Fixes #459: Add missing CSP nonce attribute to script tag in theme_editor.php
- Backend script now has nonce attribute for CSP compliance

Performance:
- Store rex_addon::get('consent_manager') in $addon variable
- Reuse $cssFrameworkMode variable instead of calling getConfig again
Copilot AI review requested due to automatic review settings February 16, 2026 15:56
Copilot AI reviewed Feb 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Consent Manager frontend and backend fragments to better respect the “Use custom CSS” setting and to improve CSP compliance in the theme editor.

Changes:

  • Conditionally suppress inline <style> output and an inline style="" attribute in the consent box when outputowncss is enabled.
  • Add a CSP nonce to the inline <script> block in the theme editor fragment.
  • Minor refactor: reuse a single $addon instance instead of repeated rex_addon::get() calls.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
fragments/ConsentManager/box.php Gates inline CSS/style attribute output behind outputowncss (and framework mode), and reuses $addon for config/i18n calls.
fragments/ConsentManager/theme_editor.php Adds CSP nonce attribute to the inline script block in the theme editor.

fragments/ConsentManager/box.php

// Check for CSS Framework Mode
$cssFrameworkMode = rex_addon::get('consent_manager')->getConfig('css_framework_mode');
$cssFrameworkMode = $addon->getConfig('css_framework_mode');
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$cssFrameworkMode is read without a default value, but later the fragment does strict checks against an empty string ("'' === $cssFrameworkMode"). If the config value is null on older installs, this will incorrectly suppress the inline CSS/style output even though no framework mode is active. Use the established pattern $addon->getConfig('css_framework_mode', '') so the value is always a string and the comparisons behave as intended.

Suggested change
$cssFrameworkMode = $addon->getConfig('css_framework_mode');
$cssFrameworkMode = $addon->getConfig('css_framework_mode', '');

Copilot uses AI. Check for mistakes.
fragments/ConsentManager/theme_editor.php
Comment on lines 588 to +592
appearance: auto;
}
</style>

<script>
<script nonce="<?= rex_response::getNonce() ?>">
Copy link

Copilot AI Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Theme Editor still outputs an inline <style> block without a CSP nonce directly above this script. On installations with a strict CSP that requires nonces for inline styles, adding the script nonce alone won't prevent CSP violations. Consider adding the nonce attribute to the <style> tag as well for consistent CSP compliance.

Copilot uses AI. Check for mistakes.
@skerbis skerbis merged commit f7f7bb4 into main Feb 16, 2026
5 checks passed
@skerbis skerbis deleted the fix/issues-458-459 branch February 16, 2026 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@skerbis