Overview

File yelp-xsl-CVE-2025-3155.patch of Package yelp-xsl.38875

Upstream from 6902d7439c0419055e1c48c7771629ccbb278408 Mon Sep 17 00:00:00 2001
Upstream from: Shaun McCance <shaunm@redhat.com>
Upstream date: Fri, 18 Apr 2025 11:31:18 -0400
Upstream subject: [PATCH] Initial fix for CVE-2025-3155 from parrot409
Porting to SUSE:SLE-12-SP2:Update/yelp-xsl
https://gitlab.gnome.org/GNOME/yelp/-/issues/221
https://gitlab.gnome.org/GNOME/yelp-xsl/-/commit/6902d74.patch

--- a/xslt/common/html.xsl
+++ b/xslt/common/html.xsl
@@ -211,6 +211,16 @@
 -->
 <xsl:param name="html.syntax.highlight" select="true()"/>
 
+<!--@@==========================================================================
+html.csp.nonce
+An optional CSP nonce string to allow the execution of scripts and styles.
+@revision[version=42.2 date=2025-02-22 status=final]
+
+This parameter takes a string value that will be added to the 'nonce' attribute
+of all 'style' and 'script' tags in the generated HTML output. This paramter is used
+to whitelist script and style tags that are allowed to be executed.
+-->
+<xsl:param name="html.csp.nonce" select="false()"/>
 
 <!--**==========================================================================
 html.output
@@ -604,6 +614,11 @@
     </xsl:call-template>
   </xsl:param>
   <style type="text/css">
+    <xsl:if test="$html.csp.nonce">
+      <xsl:attribute name="nonce">
+        <xsl:value-of select="$html.csp.nonce" />
+      </xsl:attribute>
+    </xsl:if>
     <xsl:call-template name="html.css.content">
       <xsl:with-param name="node" select="$node"/>
       <xsl:with-param name="direction" select="$direction"/>
@@ -1689,6 +1704,11 @@
   </script>
   <xsl:if test="$html.syntax.highlight">
     <script type="text/javascript">
+      <xsl:if test="$html.csp.nonce">
+        <xsl:attribute name="nonce">
+          <xsl:value-of select="$html.csp.nonce" />
+        </xsl:attribute>
+      </xsl:if>
       <xsl:attribute name="src">
         <xsl:value-of select="$html.js.root"/>
         <xsl:text>jquery.syntax.js</xsl:text>
@@ -1713,6 +1733,11 @@
   <xsl:param name="node" select="."/>
   <xsl:if test="$node//mml:*[1]">
     <script type="text/javascript">
+      <xsl:if test="$html.csp.nonce">
+        <xsl:attribute name="nonce">
+          <xsl:value-of select="$html.csp.nonce" />
+        </xsl:attribute>
+      </xsl:if>
       <xsl:attribute name="src">
         <xsl:text>http://cdn.mathjax.org/mathjax/latest/MathJax.js?config=MML_HTMLorMML</xsl:text>
       </xsl:attribute>
@@ -1736,6 +1761,11 @@
 <xsl:template name="html.js.script">
   <xsl:param name="node" select="."/>
   <script type="text/javascript">
+    <xsl:if test="$html.csp.nonce">
+      <xsl:attribute name="nonce">
+        <xsl:value-of select="$html.csp.nonce" />
+      </xsl:attribute>
+    </xsl:if>
     <xsl:call-template name="html.js.content">
       <xsl:with-param name="node" select="$node"/>
     </xsl:call-template>
openSUSE Build Service is sponsored by
Places