Conversation
* security fixes and theme preview * securit fix replace * Update CHANGELOG.md * 5.3.3 * namespace guide entfernt * fixed reload * Bump version to 5.3.4 and fix various issues Updated version to 5.3.4 and fixed multiple issues including JSON parsing errors, framework template loading, and security vulnerabilities. * 5.3.6 * alle laden inline via session erlauben * Fix iOS Safari touch events (thx @alexwenz) and update changelog * Address review comments: add missing translations and secure host usage
…_cssjs.php (#460) * Initial plan * fix(security): Add missing nonce attributes to all script tags in box_cssjs.php Co-authored-by: skerbis <791247+skerbis@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: skerbis <791247+skerbis@users.noreply.github.com>
…5 (ours strategy)
removed some themes
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request is titled "Fix/rebuild from 5.3.5" and appears to consolidate changes from versions 5.4.1 and 5.4.2 into a new 5.5.0 development release. The PR primarily focuses on security improvements (adding CSP nonces), configuration enhancements (making cookie name and lifespan configurable), and theme system improvements (adding framework mode checks and theme rebuilds).
Changes:
- Security: Added CSP nonces to script tags in multiple files to prevent XSS attacks
- Configuration: Made cookie name and lifespan configurable instead of hardcoded, added framework mode validation to theme page
- Themes: Rebuilt pill theme with simpler implementation, added sand and glass v2 theme variants, deleted minimal a11y themes
- Layout: Improved header structure and close button positioning in box fragment, fixed grid layout for a11y banner top theme
- Internationalization: Added framework mode warning message to all three language files (German, English, Swedish)
Reviewed changes
Copilot reviewed 19 out of 20 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| package.yml | Version bump from 5.4.2 to 5.5.0 (development) |
| CHANGELOG.md | Consolidated 5.4.1 and 5.4.2 changes into 5.5.0 development section |
| pages/help.php | Added CSP nonce to inline script tag for search functionality |
| pages/theme.php | Added framework mode check to prevent theme selection when framework mode is active |
| lib/InlineConsent.php | Added CSP nonces to inline consent configuration and JavaScript loading scripts |
| boot.php | Added CSP nonces to debug script tags in Google Consent Mode debug output |
| fragments/ConsentManager/inline_placeholder.php | Added CSP nonce to content data script tag |
| fragments/ConsentManager/cookiedb.php | Made cookie name configurable via addon config instead of hardcoded |
| fragments/ConsentManager/box_cssjs.php | Made cookie name and lifespan configurable via addon config |
| fragments/ConsentManager/box.php | Restructured header to contain close button, improved positioning with absolute layout |
| scss/consent_manager_frontend_a11y_banner_top.scss | Added grid layout fix for header element spanning full width |
| lang/*.lang | Added new translation key for framework mode active warning in all three languages |
| assets/*.css | Deleted pill and minimal a11y theme CSS, added new sand and glass v2 theme CSS files |
| scss/*.scss | Deleted pill and minimal a11y theme SCSS source files |
Comments suppressed due to low confidence (1)
CHANGELOG.md:8
- The CHANGELOG mentions that CSP nonces were added to
theme_editor.php, but this file is not part of the diff in this PR. However,pages/help.phpdoes have nonce additions. Consider updating the CHANGELOG to accurately reflect which files were modified in this PR (pages/help.php, lib/InlineConsent.php, fragments/ConsentManager/inline_placeholder.php, boot.php) rather than referencing theme_editor.php which may have been fixed in a different commit or version.
- **Fix:** iOS Safari Touch-Event Handling verbessert: Button musste unter Umständen doppelt getippt werden; nun reagiert er sofort.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.