yelp: fix for CVE-2025-3155

diff --git a/data/xslt/mal2html.xsl.in b/data/xslt/mal2html.xsl.in

index 9e44b734..0a74da55 100644

--- a/data/xslt/mal2html.xsl.in

+++ b/data/xslt/mal2html.xsl.in

@@ -19,6 +19,11 @@

 <xsl:param name="mal.link.prefix" select="'xref:'"/>

 <xsl:param name="mal.link.extension" select="''"/>

+<xsl:template name="html.head.top.custom">

+  <xsl:param name="node" select="."/>

+  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'nonce-{$html.csp.nonce}'; "/>

+</xsl:template>

+

 <xsl:template name="mal.link.target.custom">

   <xsl:param name="node" select="."/>

   <xsl:param name="action" select="$node/@action"/>

diff --git a/data/xslt/man2html.xsl.in b/data/xslt/man2html.xsl.in

index 676ce3eb..56bc1f5c 100644

--- a/data/xslt/man2html.xsl.in

+++ b/data/xslt/man2html.xsl.in

@@ -131,7 +131,7 @@

   the correct styling and a single character which we measure the

   width of and update each sheet as required.

 -->

-<script type="text/javascript" language="javascript">

+<script type="text/javascript" language="javascript" nonce="{$html.csp.nonce}">

 <xsl:text>

 $(document).ready (function () {

   var div = document.getElementById("invisible-char");

diff --git a/data/xslt/yelp-common.xsl.in b/data/xslt/yelp-common.xsl.in

index 0c1ec9bb..421fc02d 100644

--- a/data/xslt/yelp-common.xsl.in

+++ b/data/xslt/yelp-common.xsl.in

@@ -15,6 +15,13 @@

 <xsl:param name="html.syntax.highlight" select="true()"/>

 <xsl:param name="html.js.root" select="'file://@XSL_JSDIR@/'"/>

+<xsl:param name="html.csp.nonce" select="yelp:generate_nonce()"/>

+

+<xsl:template name="html.head.top.custom">

+  <xsl:param name="node" select="."/>

+  <meta http-equiv="Content-Security-Policy" content="default-src bogus-ghelp: bogus-gnome-help: bogus-help: bogus-help-list: bogus-info: bogus-man: ; script-src 'nonce-{$html.csp.nonce}'; style-src 'unsafe-inline'; "/>

+</xsl:template>

+

 <xsl:template name="html.js.mathjax">

   <xsl:param name="node" select="."/>

   <xsl:if test="$node//mml:*[1]">

diff --git a/libyelp/yelp-transform.c b/libyelp/yelp-transform.c

index e74eb463..2ce1d05b 100644

--- a/libyelp/yelp-transform.c

+++ b/libyelp/yelp-transform.c

@@ -71,6 +71,8 @@ static void      xslt_yelp_cache            (xsltTransformContextPtr  ctxt,

                                              xsltStylePreCompPtr      comp);

 static void      xslt_yelp_aux              (xmlXPathParserContextPtr ctxt,

                                              int                      nargs);

+static void      xslt_yelp_generate_nonce   (xmlXPathParserContextPtr ctxt,

+                                             int                      nargs);

 enum {

     PROP_0,

@@ -412,6 +414,10 @@ transform_run (YelpTransform *transform)

                              BAD_CAST "input",

                              BAD_CAST YELP_NAMESPACE,

                              (xmlXPathFunction) xslt_yelp_aux);

+    xsltRegisterExtFunction (priv->context,

+                         BAD_CAST "generate_nonce",

+                         BAD_CAST YELP_NAMESPACE,

+                         (xmlXPathFunction) xslt_yelp_generate_nonce);

     priv->output = xsltApplyStylesheetUser (priv->stylesheet,

                                             priv->input,

@@ -607,3 +613,16 @@ xslt_yelp_aux (xmlXPathParserContextPtr ctxt, int nargs)

     xsltExtensionInstructionResultRegister (tctxt, ret);

     valuePush (ctxt, ret);

 }

+

+static void

+xslt_yelp_generate_nonce (xmlXPathParserContextPtr ctxt, int nargs)

+{

+    GRand* rand;

+    gchar* nonce_str;

+

+    rand = g_rand_new ();

+    nonce_str = g_strdup_printf("%08x%08x", g_rand_int (rand), g_rand_int (rand));

+    xmlXPathReturnString (ctxt, xmlStrdup ((xmlChar *) nonce_str));

+    g_free(nonce_str);

+    g_rand_free(rand);

+}

diff --git a/libyelp/yelp-view.c b/libyelp/yelp-view.c

index 32ae131e..d544c5df 100644

--- a/libyelp/yelp-view.c

+++ b/libyelp/yelp-view.c

@@ -971,7 +971,7 @@ view_external_uri (YelpView *view,

     if (app_info)

       {

-        if (!strstr (g_app_info_get_executable (app_info), "yelp"))

+        if (!strstr (g_app_info_get_executable (app_info), "yelp") && !strstr (struri, "%3C") && !strstr (struri, "%3E"))

           {

             GList l;

    gst_all_1.gst-plugins-good

  ];

  patches = [

    ./cve-2025-3155.patch

  ];

  passthru = {

    updateScript = gnome.updateScript {

      packageName = "yelp";