Loading pkgs/by-name/ye/yelp-xsl/cve-2025-3155.patch 0 → 100644 +79 −0 Original line number Diff line number Diff line diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl index 77aed075..82832fb4 100644 --- a/xslt/common/html.xsl +++ b/xslt/common/html.xsl @@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See --> <xsl:param name="html.sidebar.right" select="''"/> +<!--@@========================================================================== +html.csp.nonce +An optional CSP nonce string to allow the execution of scripts and styles. +@revision[version=42.2 date=2025-02-22 status=final] + +This parameter takes a string value that will be added to the 'nonce' attribute +of all 'style' and 'script' tags in the generated HTML output. This paramter is used +to whitelist script and style tags that are allowed to be executed. +--> +<xsl:param name="html.csp.nonce" select="false()"/> <!--**========================================================================== html.output @@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided. </xsl:call-template> </xsl:param> <style type="text/css"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:call-template name="html.css.content"> <xsl:with-param name="node" select="$node"/> <xsl:with-param name="direction" select="$direction"/> @@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files. <xsl:param name="node" select="."/> <xsl:if test="$node//mml:*[1]"> <script type="text/javascript"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:attribute name="src"> <xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text> </xsl:attribute> @@ -1558,6 +1578,11 @@ result of {html.js.content} to that file. <xsl:template name="html.js.script"> <xsl:param name="node" select="."/> <script type="text/javascript"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:call-template name="html.js.content"> <xsl:with-param name="node" select="$node"/> </xsl:call-template> @@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value. <xsl:template name="html.js.syntax"> <xsl:param name="node" select="."/> <xsl:if test="$html.syntax.highlight"> - <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script> - <script><![CDATA[ + <script type="text/javascript" src="{$html.js.root}highlight.pack.js"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> + </script> + <script> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if><![CDATA[ document.addEventListener('DOMContentLoaded', function() { var matches = document.querySelectorAll('code.syntax') for (var i = 0; i < matches.length; i++) { pkgs/by-name/ye/yelp-xsl/package.nix +4 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,10 @@ stdenv.mkDerivation rec { doCheck = true; patches = [ ./cve-2025-3155.patch ]; passthru = { updateScript = gnome.updateScript { packageName = "yelp-xsl"; Loading Loading
pkgs/by-name/ye/yelp-xsl/cve-2025-3155.patch 0 → 100644 +79 −0 Original line number Diff line number Diff line diff --git a/xslt/common/html.xsl b/xslt/common/html.xsl index 77aed075..82832fb4 100644 --- a/xslt/common/html.xsl +++ b/xslt/common/html.xsl @@ -266,6 +266,16 @@ certain tokens, and you can add your own with {html.sidebar.mode}. See --> <xsl:param name="html.sidebar.right" select="''"/> +<!--@@========================================================================== +html.csp.nonce +An optional CSP nonce string to allow the execution of scripts and styles. +@revision[version=42.2 date=2025-02-22 status=final] + +This parameter takes a string value that will be added to the 'nonce' attribute +of all 'style' and 'script' tags in the generated HTML output. This paramter is used +to whitelist script and style tags that are allowed to be executed. +--> +<xsl:param name="html.csp.nonce" select="false()"/> <!--**========================================================================== html.output @@ -1124,6 +1134,11 @@ dimensions. All parameters can be automatically computed if not provided. </xsl:call-template> </xsl:param> <style type="text/css"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:call-template name="html.css.content"> <xsl:with-param name="node" select="$node"/> <xsl:with-param name="direction" select="$direction"/> @@ -1533,6 +1548,11 @@ copy, override this template and provide the necessary files. <xsl:param name="node" select="."/> <xsl:if test="$node//mml:*[1]"> <script type="text/javascript"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:attribute name="src"> <xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text> </xsl:attribute> @@ -1558,6 +1578,11 @@ result of {html.js.content} to that file. <xsl:template name="html.js.script"> <xsl:param name="node" select="."/> <script type="text/javascript"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> <xsl:call-template name="html.js.content"> <xsl:with-param name="node" select="$node"/> </xsl:call-template> @@ -2035,8 +2060,19 @@ on all `code` elements with `"syntax"` in the class value. <xsl:template name="html.js.syntax"> <xsl:param name="node" select="."/> <xsl:if test="$html.syntax.highlight"> - <script type="text/javascript" src="{$html.js.root}highlight.pack.js"></script> - <script><![CDATA[ + <script type="text/javascript" src="{$html.js.root}highlight.pack.js"> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if> + </script> + <script> + <xsl:if test="$html.csp.nonce"> + <xsl:attribute name="nonce"> + <xsl:value-of select="$html.csp.nonce" /> + </xsl:attribute> + </xsl:if><![CDATA[ document.addEventListener('DOMContentLoaded', function() { var matches = document.querySelectorAll('code.syntax') for (var i = 0; i < matches.length; i++) {
pkgs/by-name/ye/yelp-xsl/package.nix +4 −0 Original line number Diff line number Diff line Loading @@ -29,6 +29,10 @@ stdenv.mkDerivation rec { doCheck = true; patches = [ ./cve-2025-3155.patch ]; passthru = { updateScript = gnome.updateScript { packageName = "yelp-xsl"; Loading
