fix: escape CSP nonce attributes in JSON responses

Author: michalsn

system/HTTP/ContentSecurityPolicy.php

@@ -898,13 +898,17 @@ protected function generateNonces(ResponseInterface $response)
             return;
         }
 
+        // Escape quotes for JSON responses to prevent corrupting the JSON body
+        $jsonEscape = str_contains($response->getHeaderLine('Content-Type'), 'json');
+
         // Replace style and script placeholders with nonces
         $pattern = sprintf('/(%s|%s)/', preg_quote($this->styleNonceTag, '/'), preg_quote($this->scriptNonceTag, '/'));
 
-        $body = preg_replace_callback($pattern, function ($match): string {
+        $body = preg_replace_callback($pattern, function ($match) use ($jsonEscape): string {
             $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce();
+            $attr  = 'nonce="' . $nonce . '"';
 
-            return "nonce=\"{$nonce}\"";
+            return $jsonEscape ? str_replace('"', '\\"', $attr) : $attr;
         }, $body);
 
         $response->setBody($body);

tests/system/Debug/ExceptionHandlerTest.php

@@ -16,9 +16,12 @@
 use App\Controllers\Home;
 use CodeIgniter\Exceptions\PageNotFoundException;
 use CodeIgniter\Exceptions\RuntimeException;
+use CodeIgniter\HTTP\IncomingRequest;
+use CodeIgniter\HTTP\Response;
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\IniTestTrait;
 use CodeIgniter\Test\StreamFilterTrait;
+use Config\App;
 use Config\Exceptions as ExceptionsConfig;
 use Config\Services;
 use PHPUnit\Framework\Attributes\Group;
@@ -40,6 +43,8 @@ protected function setUp(): void
         parent::setUp();
 
         $this->handler = new ExceptionHandler(new ExceptionsConfig());
+
+        $this->resetServices();
     }
 
     public function testDetermineViewsPageNotFoundException(): void
@@ -386,4 +391,32 @@ public function testSanitizeDataWithScalars(): void
         $this->assertFalse($sanitizeData(false));
         $this->assertNull($sanitizeData(null));
     }
+
+    public function testHandleJsonResponseWithCSPEnabledProducesValidJson(): void
+    {
+        $config             = config(App::class);
+        $config->CSPEnabled = true;
+
+        /** @var IncomingRequest $request */
+        $request = service('incomingrequest', $config, false);
+        $request->setHeader('accept', 'application/json');
+        $response = new Response($config);
+        $response->pretend();
+
+        $exception = new RuntimeException('Test exception');
+
+        ob_start();
+        $this->handler->handle($exception, $request, $response, 500, EXIT_ERROR);
+        $output = ob_get_clean();
+
+        $json = json_decode($output);
+        $this->assertNotNull($json);
+
+        // Nonce placeholders must not appear in the output
+        $this->assertStringNotContainsString('{csp-style-nonce}', (string) $output);
+        $this->assertStringNotContainsString('{csp-script-nonce}', (string) $output);
+
+        // The nonce attribute values should be properly JSON-escaped
+        $this->assertMatchesRegularExpression('/nonce=\\\\"[A-Za-z0-9+\/=]+\\\\"/', $output);
+    }
 }

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -937,4 +937,38 @@ public function testClearDirective(): void
         $this->assertNotContains('report-uri http://example.com/csp/reports', $directives);
         $this->assertNotContains('report-to default', $directives);
     }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testGenerateNoncesReplacesPlaceholdersInHtml(): void
+    {
+        $body = '<style {csp-style-nonce}>body{}</style><script {csp-script-nonce}>alert(1)</script>';
+
+        $this->response->setBody($body);
+        $this->csp->finalize($this->response);
+
+        $result = $this->response->getBody();
+
+        $this->assertMatchesRegularExpression('/<style nonce="[A-Za-z0-9+\/=]+">/', $result);
+        $this->assertMatchesRegularExpression('/<script nonce="[A-Za-z0-9+\/=]+">/', $result);
+        $this->assertStringNotContainsString('{csp-style-nonce}', (string) $result);
+        $this->assertStringNotContainsString('{csp-script-nonce}', (string) $result);
+    }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testGenerateNoncesEscapesQuotesInJsonResponse(): void
+    {
+        $data = json_encode(['html' => '<script {csp-script-nonce}>alert(1)</script>']);
+
+        $this->response->setContentType('application/json');
+        $this->response->setBody($data);
+        $this->csp->finalize($this->response);
+
+        $result = $this->response->getBody();
+        $parsed = json_decode($result, true);
+
+        $this->assertNotNull($parsed);
+        $this->assertMatchesRegularExpression('/nonce="[A-Za-z0-9+\/=]+"/', $parsed['html']);
+    }
 }

user_guide_src/source/changelogs/v4.7.1.rst

@@ -30,6 +30,8 @@ Deprecations
 Bugs Fixed
 **********
 
+- **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
+
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_
 for a complete list of bugs fixed.