Fixed issue with content-security-policy not being properly supported with http-equiv + support single quotes

2025-10-26 07:56:07 +01:00 · 2021-02-08 11:45:22 -07:00
parent aa8778a0fb
commit 9964285cae
4 changed files with 10 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
    * Improved session fixation handling in PHP 7.4+ (cannot fix it in PHP 7.3 due to PHP bug)
    * Added optional password/database attributes for redis in `system.yaml`
 1. [](#bugfix)
+    * Fixed issue with `content-security-policy` not being properly supported with `http-equiv` + support single quotes
    * Fixed CLI progressbar in `backup` and `security` commands to use styled output [#3198](https://github.com/getgrav/grav/issues/3198)
    * Fixed page save failing because of uploaded images [#3191](https://github.com/getgrav/grav/issues/3191)
    * Fixed `Flex Pages` using only default language in frontend [#106](https://github.com/trilbymedia/grav-plugin-flex-objects/issues/106)
--- a/system/src/Grav/Common/Page/Page.php
+++ b/system/src/Grav/Common/Page/Page.php
@@ -1665,7 +1665,7 @@ class Page implements PageInterface

        // if not metadata yet, process it.
        if (null === $this->metadata) {
-            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible'];
+            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible', 'content-security-policy'];

            $this->metadata = [];

@@ -1698,7 +1698,7 @@ class Page implements PageInterface
                        $this->metadata[$prop_key] = [
                            'name' => $prop_key,
                            'property' => $prop_key,
-                            'content' => $escape ? htmlspecialchars($prop_value, ENT_QUOTES, 'UTF-8') : $prop_value
+                            'content' => $escape ? htmlspecialchars($prop_value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $prop_value
                        ];
                    }
                } else {
@@ -1707,16 +1707,16 @@ class Page implements PageInterface
                        if (in_array($key, $header_tag_http_equivs, true)) {
                            $this->metadata[$key] = [
                                'http_equiv' => $key,
-                                'content' => $escape ? htmlspecialchars($value, ENT_QUOTES, 'UTF-8') : $value
+                                'content' => $escape ? htmlspecialchars($value, ENT_COMPAT, 'UTF-8') : $value
                            ];
                        } elseif ($key === 'charset') {
-                            $this->metadata[$key] = ['charset' => $escape ? htmlspecialchars($value, ENT_QUOTES, 'UTF-8') : $value];
+                            $this->metadata[$key] = ['charset' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value];
                        } else {
                            // if it's a social metadata with separator, render as property
                            $separator = strpos($key, ':');
                            $hasSeparator = $separator && $separator < strlen($key) - 1;
                            $entry = [
-                                'content' => $escape ? htmlspecialchars($value, ENT_QUOTES, 'UTF-8') : $value
+                                'content' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value
                            ];

                            if ($hasSeparator && !Utils::startsWith($key, 'twitter')) {
--- a/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php
+++ b/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php
@@ -619,7 +619,7 @@ trait PageLegacyTrait
            // Get initial metadata for the page
            $metadata = array_merge($defaultMetadata, $siteMetadata, $headerMetadata);

-            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible'];
+            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible', 'content-security-policy'];
            $escape = !$config->get('system.strict_mode.twig_compat', false) || $config->get('system.twig.autoescape', true);

            // Build an array of meta objects..
@@ -643,7 +643,7 @@ trait PageLegacyTrait
                    if (in_array($key, $header_tag_http_equivs, true)) {
                        $this->_metadata[$key] = [
                            'http_equiv' => $key,
-                            'content' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value
+                            'content' => $escape ? htmlspecialchars($value, ENT_COMPAT, 'UTF-8') : $value
                        ];
                    } elseif ($key === 'charset') {
                        $this->_metadata[$key] = ['charset' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value];
--- a/system/templates/partials/metadata.html.twig
+++ b/system/templates/partials/metadata.html.twig
@@ -1,3 +1,3 @@
 {% for meta in page.metadata %}
-    <meta {% if meta.name %}name="{{ meta.name }}" {% endif %}{% if meta.http_equiv %}http-equiv="{{ meta.http_equiv }}" {% endif %}{% if meta.charset %}charset="{{ meta.charset }}" {% endif %}{% if meta.property %}property="{{ meta.property }}" {% endif %}{% if meta.content %}content="{{ meta.content }}" {% endif %}/>
-{% endfor %}
+    <meta {% if meta.name %}name="{{ meta.name|e }}" {% endif %}{% if meta.http_equiv %}http-equiv="{{ meta.http_equiv|e }}" {% endif %}{% if meta.charset %}charset="{{ meta.charset|e }}" {% endif %}{% if meta.property %}property="{{ meta.property|e }}" {% endif %}{% if meta.content %}content="{{ meta.content|raw }}" {% endif %}/>
+{% endfor %}