fix: per pr review comments, major one is to not add nonce to comment…

…ed out code or inside noscript
qld-gov-au · Nov 29, 2024 · bda573a · bda573a
1 parent b2a3576
commit bda573a
Show file tree

Hide file tree

Showing 8 changed files with 130 additions and 133 deletions.
diff --git a/orders-war/gulpfile.js b/orders-war/gulpfile.js
@@ -17,9 +17,9 @@ function webTemplateReleaseInstall () {
         .pipe(replace(/<!--#include virtual="\/assets\/includes-cdn\/([a-zA-Z-]+)\/(.*)"-->/g, '<#include "..\/$1\/$2"\/>'))
         .pipe(replace(/<!--#include virtual="(.*)"-->/g, '<#include "$1"/>'))
         .pipe(replace(/(test-static|static)\.qgov\.net\.au/g, '${cdnEnvironment}'))
-        .pipe(htmlFilter).pipe(replace(/<(script|link|style)/g, '<$1 nonce="${__csp_nonce}"'))
+        .pipe(htmlFilter).pipe(replace(/(?<!<!--|<noscript>\n?\s*)<(script|link|style)/g, '<$1 nonce="${__csp_nonce}"'))
         .pipe(htmlFilter.restore)
-        .pipe(gulp.dest('./target/generated-sources/src/main/resources/templates/web-template-release'));//
+        .pipe(gulp.dest('./target/generated-sources/src/main/resources/templates/web-template-release'));
 }
 exports.webTemplateReleaseInstall = webTemplateReleaseInstall;
 

diff --git a/orders-war/src/main/java/au/gov/qld/pub/orders/config/App.java b/orders-war/src/main/java/au/gov/qld/pub/orders/config/App.java
@@ -1,7 +1,6 @@
 package au.gov.qld.pub.orders.config;
 
 
-
 import com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
@@ -17,15 +16,14 @@
 @EnableWebMvc
 @EnableAsync
 @SpringBootApplication
-@ComponentScan( basePackages = {"au.gov.qld.pub.orders"})
+@ComponentScan(basePackages = {"au.gov.qld.pub.orders"})
 @EnableCaching
 @EnableScheduling
 @EnableJpaRepositories(basePackages = "au.gov.qld.pub.orders.dao")
 @EntityScan(basePackages = "au.gov.qld.pub.orders.entity")
 @EnableConfigurationProperties
 @EnableEncryptableProperties
 public class App {
-
     public static void main(String[] args) {
         SpringApplication.run(App.class, args);
     }

diff --git a/orders-war/src/main/resources/application-local.yml b/orders-war/src/main/resources/application-local.yml
@@ -9,7 +9,7 @@ errorRedirect: "${sourceUrl}"
 
 jasypt:
   encryptor:
-    #provider needs to be bouncycastel for this algorithm
+    #provider needs to be bouncycastle for this algorithm
     provider-name: "BC"
     provider-class-name: org.bouncycastle.jce.provider.BouncyCastleProvider
     algorithm: "PBEWITHSHA256AND128BITAES-CBC-BC"

diff --git a/orders-war/src/main/resources/templates/index.ftlh b/orders-war/src/main/resources/templates/index.ftlh
@@ -40,7 +40,7 @@
 
 
 <!-- noindex -->
-    <!--[if lt IE 9]><script nonce="${__csp_nonce}" type="text/javascript">jQuery && jQuery.transformer({addClasses:true});</script><![endif]-->
+    <!--[if lt IE 9]><script type="text/javascript">jQuery && jQuery.transformer({addClasses:true});</script><![endif]-->
 
     <div id="access">
         <h2>Skip links and keyboard navigation</h2>

diff --git a/orders-war/src/main/resources/templates/macro/page.ftlh b/orders-war/src/main/resources/templates/macro/page.ftlh
@@ -39,7 +39,7 @@
         <link nonce="${__csp_nonce}" type="text/css" href="${papiBase}/ui/minicart_1.0.css" rel="stylesheet" />
 
         <noscript>
-            <style nonce="${__csp_nonce}">
+            <style>
                 .collapse{
                     display: block !important;
                 }

diff --git a/orders-war/src/main/resources/templates/notfound.ftlh b/orders-war/src/main/resources/templates/notfound.ftlh
@@ -9,7 +9,7 @@
         <meta name="ROBOTS" content="NOINDEX, NOFOLLOW" />
 
     <link nonce="${__csp_nonce}" rel="stylesheet" type="text/css" href="https://static.qgov.net.au/assets/v2/style/qgov.css" media="all" />
-    <!--[if lt IE 9]><link nonce="${__csp_nonce}" rel="stylesheet" href="https://static.qgov.net.au/assets/v2/style/qgov-ie.css" type="text/css" media="all" /><![endif]-->
+    <!--[if lt IE 9]><link rel="stylesheet" href="https://static.qgov.net.au/assets/v2/style/qgov-ie.css" type="text/css" media="all" /><![endif]-->
 
     <!-- layout-small is assumed by default (combined with qgov.css) -->
     <link nonce="${__csp_nonce}" href="https://static.qgov.net.au/assets/v2/style/layout-medium.css" media="only all and (min-width: 640px) and (max-width: 980px)" rel="stylesheet" type="text/css" />
@@ -27,8 +27,8 @@
     // --></script>
     <script nonce="${__csp_nonce}" type="text/javascript" src="https://static.qgov.net.au/assets/v2/script/qgov-environment.js" id="qgov-environment"></script>
     <!--[if lt IE 9]>
-    <script nonce="${__csp_nonce}" type="text/javascript">document.createElement('abbr');document.createElement('time');</script>
-    <script nonce="${__csp_nonce}" type="text/javascript" src="https://static.qgov.net.au/assets/v2/script/ie-layout.js"></script>
+    <script type="text/javascript">document.createElement('abbr');document.createElement('time');</script>
+    <script type="text/javascript" src="https://static.qgov.net.au/assets/v2/script/ie-layout.js"></script>
     <![endif]-->
 
     <link rel="schema.DCTERMS" href="http://purl.org/dc/terms/" />

diff --git a/orders-war/src/test/java/au/gov/qld/pub/orders/service/AttachmentServiceTest.java b/orders-war/src/test/java/au/gov/qld/pub/orders/service/AttachmentServiceTest.java
diff --git a/orders-war/src/test/resources/application.yml b/orders-war/src/test/resources/application.yml
@@ -9,7 +9,7 @@ errorRedirect: "${sourceUrl}"
 
 jasypt:
   encryptor:
-    #provider needs to be bouncycastel for this algorithm
+    #provider needs to be bouncycastle for this algorithm
     provider-name: "BC"
     provider-class-name: org.bouncycastle.jce.provider.BouncyCastleProvider
     algorithm: "PBEWITHSHA256AND128BITAES-CBC-BC"