From 6a52f3720bb7fb36b1c27f17eac807382083bbde Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Feb 2026 14:33:14 +0000
Subject: [PATCH 1/2] Initial plan


From 59504484c23e5be34cd6387e5e1ce0b381c9b5ca Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Feb 2026 14:35:33 +0000
Subject: [PATCH 2/2] fix(security): Add missing nonce attributes to all script
 tags in box_cssjs.php

Co-authored-by: skerbis <791247+skerbis@users.noreply.github.com>
---
 fragments/ConsentManager/box_cssjs.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/fragments/ConsentManager/box_cssjs.php b/fragments/ConsentManager/box_cssjs.php
index 2024ec58..0a3bd86f 100644
--- a/fragments/ConsentManager/box_cssjs.php
+++ b/fragments/ConsentManager/box_cssjs.php
@@ -54,7 +54,7 @@
         $googleConsentModeScriptFile = 'google_consent_mode_v2.js';
     }
     $googleConsentModeScriptUrl = $addon->getAssetsUrl($googleConsentModeScriptFile);
-    $googleConsentModeOutput .= '    <script src="' . $googleConsentModeScriptUrl . '" defer></script>' . PHP_EOL;
+    $googleConsentModeOutput .= '    <script nonce="' . rex_response::getNonce() . '" src="' . $googleConsentModeScriptUrl . '" defer></script>' . PHP_EOL;
 
     // Debug-Script laden wenn Debug-Modus aktiviert UND User im Backend eingeloggt
     if (isset($consent_manager->domainInfo['google_consent_mode_debug'])
@@ -65,10 +65,10 @@
         // Nur für eingeloggte Backend-Benutzer
         if (rex_backend_login::hasSession() && null !== rex::getUser()) {
             $debugScriptUrl = $addon->getAssetsUrl('consent_debug.js');
-            $googleConsentModeOutput .= '    <script src="' . $debugScriptUrl . '" defer></script>' . PHP_EOL;
+            $googleConsentModeOutput .= '    <script nonce="' . rex_response::getNonce() . '" src="' . $debugScriptUrl . '" defer></script>' . PHP_EOL;
 
             // Debug-Konfiguration für JavaScript verfügbar machen
-            $googleConsentModeOutput .= '    <script>' . PHP_EOL;
+            $googleConsentModeOutput .= '    <script nonce="' . rex_response::getNonce() . '">' . PHP_EOL;
             $googleConsentModeOutput .= '        window.consentManagerDebugConfig = ' . json_encode([
                 'mode' => $consent_manager->domainInfo['google_consent_mode_enabled'],
                 'auto_mapping' => 'auto' === $consent_manager->domainInfo['google_consent_mode_enabled'],
@@ -164,8 +164,8 @@
     'mode' => 'opt-in',
 ];
 
-$consentparams['outputjs'] .= '    <script>var consent_manager_parameters = ' . json_encode($jsConfig, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) . ';</script>' . PHP_EOL;
-$consentparams['outputjs'] .= '    <script src="' . rex_url::frontendController($_params) . '" id="consent_manager_script" defer></script>' . PHP_EOL;
+$consentparams['outputjs'] .= '    <script nonce="' . rex_response::getNonce() . '">var consent_manager_parameters = ' . json_encode($jsConfig, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) . ';</script>' . PHP_EOL;
+$consentparams['outputjs'] .= '    <script nonce="' . rex_response::getNonce() . '" src="' . rex_url::frontendController($_params) . '" id="consent_manager_script" defer></script>' . PHP_EOL;
 
 // Ausgabe Google Consent Mode v2 (vor allem anderen)
 echo $googleConsentModeOutput;