fix: inline style "display:none" for honeypot field does not work with CSP

Author: kenjis

app/Config/Honeypot.php

@@ -28,6 +28,15 @@ class Honeypot extends BaseConfig
 
     /**
      * Honeypot container
+     *
+     * If you enables CSP, you can remove `style="display:none"`.
      */
     public string $container = '<div style="display:none">{template}</div>';
+
+    /**
+     * The id attribute for Honeypot container tag
+     *
+     * Used when CSP is enabled.
+     */
+    public string $containerId = 'hpc';
 }

system/Honeypot/Honeypot.php

@@ -46,6 +46,8 @@ public function __construct(HoneypotConfig $config)
             $this->config->container = '<div style="display:none">{template}</div>';
         }
 
+        $this->config->containerId ??= 'hpc';
+
         if ($this->config->template === '') {
             throw HoneypotException::forNoTemplate();
         }
@@ -70,10 +72,26 @@ public function hasContent(RequestInterface $request)
      */
     public function attachHoneypot(ResponseInterface $response)
     {
+        if ($response->getCSP()->enabled()) {
+            // Add id attribute to the container tag.
+            $this->config->container = str_ireplace(
+                '>{template}',
+                ' id="' . $this->config->containerId . '">{template}',
+                $this->config->container
+            );
+        }
+
         $prepField = $this->prepareTemplate($this->config->template);
 
         $body = $response->getBody();
         $body = str_ireplace('</form>', $prepField . '</form>', $body);
+
+        if ($response->getCSP()->enabled()) {
+            // Add style tag for the container tag in the head tag.
+            $style = '<style ' . csp_style_nonce() . '>#' . $this->config->containerId . ' { display:none }</style>';
+            $body  = str_ireplace('</head>', $style . '</head>', $body);
+        }
+
         $response->setBody($body);
     }