From cdc7106ff8c40ce9556ee78f0b92f2ebabfc0800 Mon Sep 17 00:00:00 2001
From: "John Paul E. Balandan, CPA" <paulbalandan@gmail.com>
Date: Sun, 1 Feb 2026 19:13:06 +0800
Subject: [PATCH] fix: ensure CSP nonces are Base64 encoded

---
 system/HTTP/ContentSecurityPolicy.php           |  4 ++--
 tests/system/CommonFunctionsTest.php            |  4 ++--
 tests/system/HTTP/ContentSecurityPolicyTest.php | 14 ++++++++------
 tests/system/Helpers/HTMLHelperTest.php         |  2 +-
 tests/system/Helpers/URLHelper/MiscUrlTest.php  |  2 +-
 tests/system/Honeypot/HoneypotTest.php          |  2 +-
 tests/system/View/ParserPluginTest.php          |  2 +-
 user_guide_src/source/changelogs/v4.6.5.rst     |  1 +
 8 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index a6a2b26a71fc..4767face673e 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -303,7 +303,7 @@ public function enabled(): bool
     public function getStyleNonce(): string
     {
         if ($this->styleNonce === null) {
-            $this->styleNonce = bin2hex(random_bytes(12));
+            $this->styleNonce = base64_encode(random_bytes(12));
             $this->styleSrc[] = 'nonce-' . $this->styleNonce;
         }
 
@@ -316,7 +316,7 @@ public function getStyleNonce(): string
     public function getScriptNonce(): string
     {
         if ($this->scriptNonce === null) {
-            $this->scriptNonce = bin2hex(random_bytes(12));
+            $this->scriptNonce = base64_encode(random_bytes(12));
             $this->scriptSrc[] = 'nonce-' . $this->scriptNonce;
         }
 
diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
index bc09ef6e9f57..d84378e01dc9 100644
--- a/tests/system/CommonFunctionsTest.php
+++ b/tests/system/CommonFunctionsTest.php
@@ -731,7 +731,7 @@ public function testDWithCSP(): void
         $cliDetection        = Kint::$cli_detection;
         Kint::$cli_detection = false;
 
-        $this->expectOutputRegex('/<script class="kint-rich-script" nonce="[0-9a-z]{24}">/u');
+        $this->expectOutputRegex('/<script class="kint-rich-script" nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}">/u');
         d('string');
 
         // Restore settings
@@ -754,7 +754,7 @@ public function testTraceWithCSP(): void
 
         Kint::$cli_detection = false;
 
-        $this->expectOutputRegex('/<style class="kint-rich-style" nonce="[0-9a-z]{24}">/u');
+        $this->expectOutputRegex('/<style class="kint-rich-style" nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}">/u');
         trace();
     }
 
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index 06dde464a4a4..5856e9d692fa 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -578,18 +578,20 @@ public function testGetScriptNonce(): void
     {
         $this->prepare();
 
-        $nonce = $this->csp->getScriptNonce();
-
-        $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
+        $this->assertMatchesRegularExpression(
+            '/\A[a-zA-Z0-9+\/-_]+[=]{0,2}\z/',
+            $this->csp->getScriptNonce(),
+        );
     }
 
     public function testGetStyleNonce(): void
     {
         $this->prepare();
 
-        $nonce = $this->csp->getStyleNonce();
-
-        $this->assertMatchesRegularExpression('/\A[0-9a-z]{24}\z/', $nonce);
+        $this->assertMatchesRegularExpression(
+            '/\A[a-zA-Z0-9+\/-_]+[=]{0,2}\z/',
+            $this->csp->getStyleNonce(),
+        );
     }
 
     #[PreserveGlobalState(false)]
diff --git a/tests/system/Helpers/HTMLHelperTest.php b/tests/system/Helpers/HTMLHelperTest.php
index b6d061072375..dcce366474b9 100644
--- a/tests/system/Helpers/HTMLHelperTest.php
+++ b/tests/system/Helpers/HTMLHelperTest.php
@@ -337,7 +337,7 @@ public function testScriptTagWithCsp(): void
         $html   = script_tag($target);
 
         $this->assertMatchesRegularExpression(
-            '!<script nonce="\w+?" src="http://site.com/js/mystyles.js".*?>!u',
+            '!<script nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}" src="http://site.com/js/mystyles.js".*?>!u',
             $html,
         );
 
diff --git a/tests/system/Helpers/URLHelper/MiscUrlTest.php b/tests/system/Helpers/URLHelper/MiscUrlTest.php
index 81ec9770ea2a..46f5b0362f59 100644
--- a/tests/system/Helpers/URLHelper/MiscUrlTest.php
+++ b/tests/system/Helpers/URLHelper/MiscUrlTest.php
@@ -493,7 +493,7 @@ public function testSafeMailtoWithCsp(): void
 
         $html = safe_mailto('foo@example.jp', 'Foo');
 
-        $this->assertMatchesRegularExpression('/<script .*?nonce="\w+?".*?>/u', $html);
+        $this->assertMatchesRegularExpression('/<script .*?nonce="[a-zA-Z0-9+\/]+[=]{0,2}".*?>/u', $html);
     }
 
     /**
diff --git a/tests/system/Honeypot/HoneypotTest.php b/tests/system/Honeypot/HoneypotTest.php
index b92c2d1158b7..31335db6c232 100644
--- a/tests/system/Honeypot/HoneypotTest.php
+++ b/tests/system/Honeypot/HoneypotTest.php
@@ -107,7 +107,7 @@ public function testAttachHoneypotAndContainerWithCSP(): void
         $this->response->setBody('<head></head><body><form></form></body>');
         $this->honeypot->attachHoneypot($this->response);
 
-        $regex = '!<head><style nonce="[0-9a-f]+">#hpc { display:none }</style></head><body><form><div style="display:none" id="hpc"><label>Fill This Field</label><input type="text" name="honeypot" value=""></div></form></body>!u';
+        $regex = '!<head><style nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}">#hpc { display:none }</style></head><body><form><div style="display:none" id="hpc"><label>Fill This Field</label><input type="text" name="honeypot" value=""></div></form></body>!u';
         $this->assertMatchesRegularExpression($regex, $this->response->getBody());
     }
 
diff --git a/tests/system/View/ParserPluginTest.php b/tests/system/View/ParserPluginTest.php
index 440c0146b393..bb458a85ad04 100644
--- a/tests/system/View/ParserPluginTest.php
+++ b/tests/system/View/ParserPluginTest.php
@@ -151,7 +151,7 @@ public function testCspScriptNonceWithCspEnabled(): void
         $template = 'aaa {+ csp_script_nonce +} bbb';
 
         $this->assertMatchesRegularExpression(
-            '/aaa nonce="[0-9a-z]{24}" bbb/',
+            '/aaa nonce="[a-zA-Z0-9+\/-_]+[=]{0,2}" bbb/',
             $this->parser->renderString($template),
         );
     }
diff --git a/user_guide_src/source/changelogs/v4.6.5.rst b/user_guide_src/source/changelogs/v4.6.5.rst
index 98f3558dee92..3b42a77d8d50 100644
--- a/user_guide_src/source/changelogs/v4.6.5.rst
+++ b/user_guide_src/source/changelogs/v4.6.5.rst
@@ -31,6 +31,7 @@ Bugs Fixed
 **********
 
 - **Database:** Fixed a bug where ``Seeder::call()`` did not pass the database connection to child seeders, causing them to use the default connection instead of the one specified via ``Database::seeder('group')``.
+- **HTTP:** Updated the Content Security Policy nonce generation to use base64 encoding instead of hexadecimal, ensuring compatibility with CSP specifications.
 
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_