DmxRouting.js breaks CSP rules when <script> tags contain CSP Nonce

Wappler General
1

Hi,
This part of dmxRouting.js cause that <script> tags that containg CSP nonce trigger errors.
Im using nonce dynamically created in nodejs in a helmet middleware file.

evalScripts: function(t) {
        try {
            var e = t.querySelectorAll('script[type="text/javascript"],script:not([type])');
            dmx.array(e).forEach(function(e) {
                try {
                    var t = document.createElement("script");
                    t.type = "text/javascript",
                    e.src && (t.src = e.src),
                    e.innerHTML && (t.innerHTML = e.innerHTML),
                    e.onerror = function() {
                        console.error("ERROR", arguments)
                    }
                    ,
                    e.parentNode.replaceChild(t, e)
                } catch (t) {
                    console.error("Error executing script " + e.src, t)
                }
            })
        } catch (t) {
            console.error("An error occurred while trying to execute scripts", t)
        }
    },

In another part of the same file where you use document.createElement("script") it also throws the same error.
Its possible to add this to retrieve the nonce in the new script that the createElement creates.

var t = document.createElement("script");
    t.type = "text/javascript",
    e.src && (t.src = e.src),
    e.innerHTML && (t.innerHTML = e.innerHTML),
               
    // Get the nonce from the existing script tag and add it to the new one
    e.nonce && (t.nonce = e.nonce),

About CSP here:
https://content-security-policy.com/nonce/

Thanks

3

Something about this and why I have this issue on Routings.

The Bootstrap 5 Paging Generator
image

This component generate this: <a href="javascript:void(0)"> for the links of every pagin button. And acording to CSP rules, javascript:void(0) violates it rules because potential XSS security vulnerability could exist.

So, one way to solve this could be considering replacing the href="javascript:void(0)" by href="#", and do the same on every other component that use the same javascript:void(0) as href. Actually the original way in how Bootstrap manage it, using “#”.