Add tests and security documentation for CSP nonce support

justin808 · claude · justin808 · commit 5bae8c279d2c · 2025-11-19T13:44:16.000-10:00
- Add TypeScript tests for: - buildConsoleReplay() with nonce parameter - consoleReplay() returns JS without script tags - Empty string handling with nonce - Add security comments explaining: - Why html_safe is safe (content pre-sanitized via scriptSanitizedVal) - CSP nonce availability (Rails 5.2+) - Add blank line before wrap_console_script_with_nonce method for consistency All tests passing (100 passed in react-on-rails, 30 passed in pro). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/lib/react_on_rails/helper.rb b/lib/react_on_rails/helper.rb
@@ -437,16 +437,20 @@ def build_react_component_result_for_server_rendered_hash(
       )
     end
 
+    # Wraps console replay JavaScript code in a script tag with CSP nonce if available.
+    # The console_script_code is already sanitized by scriptSanitizedVal() in the JavaScript layer,
+    # so using html_safe here is secure.
     def wrap_console_script_with_nonce(console_script_code)
       return "" if console_script_code.blank?
 
-      # Get the CSP nonce if available
+      # Get the CSP nonce if available (Rails 5.2+)
       nonce = content_security_policy_nonce(:script) if respond_to?(:content_security_policy_nonce)
 
       # Build the script tag with nonce if available
       script_options = { id: "consoleReplayLog" }
       script_options[:nonce] = nonce if nonce.present?
 
+      # Safe to use html_safe because content is pre-sanitized via scriptSanitizedVal()
       content_tag(:script, console_script_code.html_safe, script_options)
     end
 
diff --git a/packages/react-on-rails/tests/buildConsoleReplay.test.js b/packages/react-on-rails/tests/buildConsoleReplay.test.js
@@ -75,4 +75,36 @@ console.warn.apply(console, ["other message","{\\"c\\":3,\\"d\\":4}"]);
 
     expect(actual).toEqual(expected);
   });
+
+  it('buildConsoleReplay adds nonce attribute when provided', () => {
+    console.history = [{ arguments: ['test message'], level: 'log' }];
+    const actual = buildConsoleReplay(undefined, 0, 'abc123');
+
+    expect(actual).toContain('nonce="abc123"');
+    expect(actual).toContain('<script id="consoleReplayLog" nonce="abc123">');
+    expect(actual).toContain('console.log.apply(console, ["test message"]);');
+  });
+
+  it('buildConsoleReplay returns empty string when no console messages', () => {
+    console.history = [];
+    const actual = buildConsoleReplay(undefined, 0, 'abc123');
+
+    expect(actual).toEqual('');
+  });
+
+  it('consoleReplay returns only JavaScript without script tags', () => {
+    console.history = [
+      { arguments: ['message 1'], level: 'log' },
+      { arguments: ['message 2'], level: 'error' },
+    ];
+    const actual = consoleReplay();
+
+    // Should not contain script tags
+    expect(actual).not.toContain('<script');
+    expect(actual).not.toContain('</script>');
+
+    // Should contain the JavaScript code
+    expect(actual).toContain('console.log.apply(console, ["message 1"]);');
+    expect(actual).toContain('console.error.apply(console, ["message 2"]);');
+  });
 });
