fix: escape CSP nonce attributes in JSON responses (#9938)

Co-authored-by: John Paul E. Balandan, CPA <paulbalandan@gmail.com>

Author: michalsn

system/HTTP/ContentSecurityPolicy.php

@@ -898,13 +898,17 @@ protected function generateNonces(ResponseInterface $response)
             return;
         }
 
+        // Escape quotes for JSON responses to prevent corrupting the JSON body
+        $jsonEscape = str_contains($response->getHeaderLine('Content-Type'), 'json');
+
         // Replace style and script placeholders with nonces
         $pattern = sprintf('/(%s|%s)/', preg_quote($this->styleNonceTag, '/'), preg_quote($this->scriptNonceTag, '/'));
 
-        $body = preg_replace_callback($pattern, function ($match): string {
+        $body = preg_replace_callback($pattern, function ($match) use ($jsonEscape): string {
             $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce();
+            $attr  = 'nonce="' . $nonce . '"';
 
-            return "nonce=\"{$nonce}\"";
+            return $jsonEscape ? str_replace('"', '\\"', $attr) : $attr;
         }, $body);
 
         $response->setBody($body);

tests/system/Debug/ExceptionHandlerTest.php

@@ -40,6 +40,8 @@ protected function setUp(): void
         parent::setUp();
 
         $this->handler = new ExceptionHandler(new ExceptionsConfig());
+
+        $this->resetServices();
     }
 
     public function testDetermineViewsPageNotFoundException(): void

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -937,4 +937,40 @@ public function testClearDirective(): void
         $this->assertNotContains('report-uri http://example.com/csp/reports', $directives);
         $this->assertNotContains('report-to default', $directives);
     }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testGenerateNoncesReplacesPlaceholdersInHtml(): void
+    {
+        $body = '<style {csp-style-nonce}>body{}</style><script {csp-script-nonce}>alert(1)</script>';
+
+        $this->response->setBody($body);
+        $this->csp->finalize($this->response);
+
+        $result = $this->response->getBody();
+
+        $this->assertMatchesRegularExpression('/<style nonce="[A-Za-z0-9+\/=]+">/', $result);
+        $this->assertMatchesRegularExpression('/<script nonce="[A-Za-z0-9+\/=]+">/', $result);
+        $this->assertIsString($result);
+        $this->assertStringNotContainsString('{csp-style-nonce}', $result);
+        $this->assertStringNotContainsString('{csp-script-nonce}', $result);
+    }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testGenerateNoncesEscapesQuotesInJsonResponse(): void
+    {
+        $data = json_encode(['html' => '<script {csp-script-nonce}>alert(1)</script>']);
+
+        $this->response->setContentType('application/json');
+        $this->response->setBody($data);
+        $this->csp->finalize($this->response);
+
+        $result = $this->response->getBody();
+        $parsed = json_decode($result, true);
+
+        $this->assertSame(JSON_ERROR_NONE, json_last_error());
+        $this->assertNotNull($parsed);
+        $this->assertMatchesRegularExpression('/nonce="[A-Za-z0-9+\/=]+"/', $parsed['html']);
+    }
 }

user_guide_src/source/changelogs/v4.7.1.rst

@@ -32,6 +32,8 @@ Deprecations
 Bugs Fixed
 **********
 
+- **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` produces corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
+
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_
 for a complete list of bugs fixed.