Skip to content

fix: escape CSP nonce attributes in JSON responses#9938

Merged
michalsn merged 3 commits intocodeigniter4:developfrom
michalsn:fix/csp-json-escape
Feb 10, 2026
Merged

fix: escape CSP nonce attributes in JSON responses#9938
michalsn merged 3 commits intocodeigniter4:developfrom
michalsn:fix/csp-json-escape

Conversation

@michalsn
Copy link
Member

@michalsn michalsn commented Feb 8, 2026

Description
This PR fixes a bug where ContentSecurityPolicy::generateNonces() could corrupt the JSON response body.

The method now detects application/json Content-Type responses and properly escapes double quotes in nonce attribute replacements, preventing malformed JSON.

Fixes #9934

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@michalsn michalsn added the bug Verified issues on the current code behavior or pull requests that will fix them label Feb 8, 2026
paulbalandan
paulbalandan reviewed Feb 9, 2026
View reviewed changes
@michalsn @paulbalandan
apply code suggestions
1d90383 
Co-authored-by: John Paul E. Balandan, CPA <paulbalandan@gmail.com>
@michalsn michalsn merged commit a58efe3 into codeigniter4:develop Feb 10, 2026
50 checks passed
@michalsn
Copy link
Member Author

michalsn commented Feb 10, 2026

Thank you @paulbalandan and @datamweb

@michalsn michalsn deleted the fix/csp-json-escape branch February 10, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paulbalandan paulbalandan paulbalandan approved these changes

+1 more reviewer

@datamweb datamweb datamweb approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Verified issues on the current code behavior or pull requests that will fix them

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: CSP nonce replacement corrupts JSON responses in AJAX requests

3 participants

@michalsn @datamweb @paulbalandan