Merge pull request #8025 from kenjis/fix-Honeypot-CSP-style-nonce

kenjis · web-flow · commit 617180afa9e3 · 2023-10-13T09:49:20.000+09:00
fix: CSP style nonce is added even if honeypot is not attached
diff --git a/system/Honeypot/Honeypot.php b/system/Honeypot/Honeypot.php
@@ -89,16 +89,16 @@ public function attachHoneypot(ResponseInterface $response)
 
         $prepField = $this->prepareTemplate($this->config->template);
 
-        $body = $response->getBody();
-        $body = str_ireplace('</form>', $prepField . '</form>', $body);
+        $bodyBefore = $response->getBody();
+        $bodyAfter  = str_ireplace('</form>', $prepField . '</form>', $bodyBefore);
 
-        if ($response->getCSP()->enabled()) {
+        if ($response->getCSP()->enabled() && ($bodyBefore !== $bodyAfter)) {
             // Add style tag for the container tag in the head tag.
-            $style = '<style ' . csp_style_nonce() . '>#' . $this->config->containerId . ' { display:none }</style>';
-            $body  = str_ireplace('</head>', $style . '</head>', $body);
+            $style     = '<style ' . csp_style_nonce() . '>#' . $this->config->containerId . ' { display:none }</style>';
+            $bodyAfter = str_ireplace('</head>', $style . '</head>', $bodyAfter);
         }
 
-        $response->setBody($body);
+        $response->setBody($bodyAfter);
     }
 
     /**
diff --git a/tests/system/Honeypot/HoneypotTest.php b/tests/system/Honeypot/HoneypotTest.php
@@ -100,6 +100,24 @@ public function testAttachHoneypotAndContainerWithCSP(): void
         $this->assertMatchesRegularExpression($regex, $this->response->getBody());
     }
 
+    public function testNotAttachHoneypotWithCSP(): void
+    {
+        $this->resetServices();
+
+        $config             = new App();
+        $config->CSPEnabled = true;
+        Factories::injectMock('config', 'App', $config);
+        $this->response = Services::response($config, false);
+
+        $this->config   = new HoneypotConfig();
+        $this->honeypot = new Honeypot($this->config);
+
+        $this->response->setBody('<head></head><body></body>');
+        $this->honeypot->attachHoneypot($this->response);
+
+        $this->assertSame('<head></head><body></body>', $this->response->getBody());
+    }
+
     public function testHasntContent(): void
     {
         unset($_POST[$this->config->name]);
