FriendsOfREDAXO · skerbis · Feb 17, 2026 · Feb 11, 2026 · Feb 16, 2026 · Feb 17, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,19 +1,11 @@
 # REDAXO consent_manager - Changelog
 
-## Version 5.4.2 - 17.02.2026
-
-- **Revert:** Die Änderung an `box.php` aus 5.4.1 wurde rückgängig gemacht, da sie zu Darstellungsproblemen bei aktiviertem "Eigenes CSS" führte. Das Basis-Layout (Backdrop, Positionierung) wird nun wieder immer ausgegeben.
-
-## Version 5.4.1 - 16.02.2026
+## Version 5.5.0 (Entwicklung)
 
 - **Feature:** Inline-Consent kann nun optional auf "Session-Scope" beschränkt werden. Zustimmungen gelten dann nur, solange der Browser-Tab offen ist (via `sessionStorage`). Konfigurierbar unter Einstellungen.
 - **Fix:** Reload-Loop behoben: Das Öffnen der Details aus einem Inline-Element führte unter Umständen zu einem sofortigen Neuladen der Seite.
-- **Fix:** iOS Safari Touch-Event Handling verbessert: Button musste unter Umständen doppelt getippt werden; nun reagiert er sofort (Danke @alexwenz).
-- **Fix:** `box.php`: `outputowncss` Einstellung respektieren und fehlende CSP-Nonce für Inline-Styles ergänzen (#462).
-- **System:** Build-Skript aktualisiert für bessere Minifizierung.
-
-
-
+- **Fix:** iOS Safari Touch-Event Handling verbessert: Button musste unter Umständen doppelt getippt werden; nun reagiert er sofort.
+- **Security:** CSRF/XSS-Schutz: Fehlende CSP-Nonce für Inline-Styles und Scripte ergänzt (`theme_editor.php` und `box_cssjs.php`).
 
 ## Version 5.3.4 - 29.01.2026
 

diff --git a/boot.php b/boot.php
@@ -322,12 +322,12 @@
 
             try {
                 $googleConsentModeConfig = GoogleConsentMode::getDomainConfig($domain);
-                $debugScript = '<script>window.consentManagerDebugConfig = ' . json_encode($googleConsentModeConfig) . ';</script>' . PHP_EOL;
+                $debugScript = '<script nonce="' . rex_response::getNonce() . '">window.consentManagerDebugConfig = ' . json_encode($googleConsentModeConfig) . ';</script>' . PHP_EOL;
             } catch (Exception $e) {
-                $debugScript = '<script>window.consentManagerDebugConfig = {"mode": "unknown", "enabled": false};</script>' . PHP_EOL;
+                $debugScript = '<script nonce="' . rex_response::getNonce() . '">window.consentManagerDebugConfig = {"mode": "unknown", "enabled": false};</script>' . PHP_EOL;
             }
 
-            $debugScript .= '<script src="' . $consentDebugUrl . '"></script>' . PHP_EOL;
+            $debugScript .= '<script nonce="' . rex_response::getNonce() . '" src="' . $consentDebugUrl . '"></script>' . PHP_EOL;
 
             // Debug-Script vor </head> einfügen
             $content = $ep->getSubject();

diff --git a/fragments/ConsentManager/box_cssjs.php b/fragments/ConsentManager/box_cssjs.php
@@ -155,8 +155,8 @@
 $jsConfig = [
     'cookieSameSite' => 'Lax',
     'cookieSecure' => rex_request::isHttps(),
-    'cookieName' => 'consentmanager',
-    'cookieLifetime' => 14, // Tage
+    'cookieName' => $addon->getConfig('cookie_name', 'consentmanager'),
+    'cookieLifetime' => (int) $addon->getConfig('lifespan', 14), // Tage
     'domain' => rex_request::server('HTTP_HOST', 'string', ''),
     'version' => $consent_manager->version,
     'cacheLogId' => $consent_manager->cacheLogId,

diff --git a/fragments/ConsentManager/cookiedb.php b/fragments/ConsentManager/cookiedb.php
@@ -21,11 +21,12 @@
 
 if (0 !== count($consent_manager->cookiegroups)) { /** phpstan-ignore-line */
     // Cookie Consent + History
+    $cookieName = rex_addon::get('consent_manager')->getConfig('cookie_name', 'consentmanager');
     $cookiedata = [];
-    if (is_string(rex_request::cookie('consentmanager'))) {
-        $cookiedata = (array) json_decode(rex_request::cookie('consentmanager'), true);
+    if (is_string(rex_request::cookie($cookieName))) {
+        $cookiedata = (array) json_decode(rex_request::cookie($cookieName), true);
     }
-    $consent_manager_cookie = null !== rex_request::cookie('consentmanager') ? $cookiedata : null;
+    $consent_manager_cookie = null !== rex_request::cookie($cookieName) ? $cookiedata : null;
     if (null !== $consent_manager_cookie && isset($consent_manager_cookie['cachelogid'])) {
         $db = rex_sql::factory();
         $db->setDebug(false);

diff --git a/fragments/ConsentManager/inline_placeholder.php b/fragments/ConsentManager/inline_placeholder.php
@@ -121,7 +121,7 @@ class="consent-inline-thumbnail"
             </div>
         </div>
 
-        <script type="text/plain" class="consent-content-data" 
+        <script nonce="<?= rex_response::getNonce() ?>" type="text/plain" class="consent-content-data" 
                 data-consent-code="<?= rex_escape($serviceKey) ?>">
 <?= str_replace('</script>', '<\/script>', $content) ?>
         </script>

diff --git a/lang/de_de.lang b/lang/de_de.lang
@@ -127,6 +127,7 @@ consent_manager_config_css_framework_mode_uikit3 = UIkit 3
 consent_manager_config_css_framework_mode_bootstrap5 = Bootstrap 5
 consent_manager_config_css_framework_mode_tailwind = Tailwind CSS
 consent_manager_config_css_framework_mode_bulma = Bulma
+consent_manager_config_css_framework_mode_active = Der "Framework Modus" ist aktiv. Themes können in diesem Modus nicht verwendet werden, da das Layout vom Framework gesteuert wird.
 
 consent_manager_config_framework_legend = Framework-Einstellungen
 consent_manager_config_framework_shadow = Schatten

diff --git a/lang/en_gb.lang b/lang/en_gb.lang
@@ -158,6 +158,7 @@ consent_manager_config_css_framework_mode_uikit3 = UIkit 3
 consent_manager_config_css_framework_mode_bootstrap5 = Bootstrap 5
 consent_manager_config_css_framework_mode_tailwind = Tailwind CSS
 consent_manager_config_css_framework_mode_bulma = Bulma
+consent_manager_config_css_framework_mode_active = "Framework Mode" is active. Themes cannot be used in this mode as the layout is controlled by the framework.
 
 consent_manager_config_framework_legend = Framework Settings
 consent_manager_config_framework_shadow = Shadow

diff --git a/lang/sv_se.lang b/lang/sv_se.lang
@@ -516,3 +516,5 @@ consent_manager_editorial_autoblock_warning_title = Auto-Blocking är inte aktiv
 consent_manager_editorial_autoblock_warning_intro = Automatisk blockering av externt innehåll är för närvarande inaktiverad.
 consent_manager_editorial_autoblock_warning_admin = För att koderna som genereras här ska fungera måste auto-blocking <a href="{0}"><strong>aktiveras i inställningarna</strong></a>. Utan denna funktion laddas externt innehåll direkt och kringgår samtyckes-mekanismen.
 consent_manager_editorial_autoblock_warning_user = För att koderna som genereras här ska fungera måste auto-blocking aktiveras i inställningarna. <strong>Kontakta en administratör eller användare med config-behörighet</strong> för att aktivera denna funktion. Utan auto-blocking laddas externt innehåll direkt och kringgår samtyckes-mekanismen.
+
+consent_manager_config_css_framework_mode_active = "Framework-läge" är aktivt. Teman kan inte användas i detta läge eftersom layouten styrs av ramverket.
diff --git a/lib/InlineConsent.php b/lib/InlineConsent.php
@@ -400,11 +400,11 @@ public static function getJavaScript(): string
         $addon = \rex_addon::get('consent_manager');
         $sessionScope = $addon->getConfig('inline_consent_session_scope') ? 'true' : 'false';
 
-        $configScript = '<script>window.consentManagerInlineOptions = { sessionScope: ' . $sessionScope . ' };</script>';
+        $configScript = '<script nonce="' . \rex_response::getNonce() . '">window.consentManagerInlineOptions = { sessionScope: ' . $sessionScope . ' };</script>';
 
         // JavaScript-Datei laden
         $jsPath = rex_url::addonAssets('consent_manager', 'consent_inline.js');
-        return $configScript . '<script defer src="' . $jsPath . '"></script>';
+        return $configScript . '<script nonce="' . \rex_response::getNonce() . '" defer src="' . $jsPath . '"></script>';
     }
 
     /**

diff --git a/package.yml b/package.yml
@@ -1,5 +1,5 @@
 package: consent_manager
-version: "5.4.2"
+version: "5.5.0-dev"
 author: "Friends Of REDAXO"
 supportpage: https://redaxo.org/support/community/#slack
 

diff --git a/pages/help.php b/pages/help.php
@@ -166,7 +166,7 @@
                 $tocHtml .= '</div></div>';
 
                 // JS for Live Search
-                $tocHtml .= '<script>
+                $tocHtml .= '<script nonce="' . rex_response::getNonce() . '">
                 (function($) {
                     $(document).on("rex:ready", function() {
                         var $input = $("#cm-toc-filter");

diff --git a/pages/theme.php b/pages/theme.php
@@ -21,6 +21,13 @@
 
 if ('|1|' === $addon->getConfig('outputowncss', false)) {
     echo rex_view::error(rex_i18n::msg('consent_manager_config_owncss_active'));
+    return;
+}
+
+// Framework Modus darf nicht aktiviert sein
+if ($addon->getConfig('css_framework_mode')) {
+    echo rex_view::error(rex_i18n::msg('consent_manager_config_css_framework_mode_active'));
+    return;
 }
 
 // Prüfen ob mindestens eine Domain angelegt wurde