Eliminate all inline scripts to enable script-src 'self' without 'unsafe-inline', providing strong XSS mitigation via CSP. Inline script removal: - login.phtml: replace inline APP_ASSET_BASE with data-asset-base attribute + app-boot.js (matching default.phtml pattern) - api-docs: extract SwaggerUI init to js/pages/admin-api-docs-index.js - docs: extract checkbox enablement to js/pages/admin-docs-index.js - language-switcher: replace onchange handler with data-auto-submit attribute + js/components/app-auto-submit.js event listener CSP policy (dev + prod nginx): default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; manifest-src 'self' Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
55 lines
1.9 KiB
PHTML
55 lines
1.9 KiB
PHTML
<?php
|
|
|
|
use MintyPHP\Buffer;
|
|
|
|
$defaultTitle = appTitle();
|
|
$primaryVars = appPrimaryCssVars();
|
|
$theme = appDefaultTheme();
|
|
$pageTitle = $defaultTitle;
|
|
ob_start();
|
|
Buffer::get('title');
|
|
$bufferTitle = trim((string) ob_get_clean());
|
|
if ($bufferTitle !== '') {
|
|
$pageTitle = $bufferTitle . ' - ' . $defaultTitle;
|
|
}
|
|
|
|
?>
|
|
<!DOCTYPE html>
|
|
<html
|
|
data-theme="<?php e($theme); ?>"
|
|
data-asset-base="<?php e(asset('')); ?>"
|
|
data-password-toggle-show-label="<?php e(t('Show password')); ?>"
|
|
data-password-toggle-hide-label="<?php e(t('Hide password')); ?>"
|
|
<?php if ($primaryVars !== ''): ?>style="<?php e($primaryVars); ?>" <?php endif; ?>>
|
|
|
|
<head>
|
|
<script src="<?php e(assetVersion('js/app-boot.js')); ?>"></script>
|
|
<base href="<?php e(localeBase()); ?>">
|
|
<title><?php e($pageTitle); ?></title>
|
|
<meta property="og:site_name" content="<?php e($defaultTitle); ?>">
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<link rel="icon" type="image/png" sizes="32x32" href="<?php e(appFaviconUrl('favicon-32x32.png')); ?>">
|
|
<link rel="icon" type="image/png" sizes="16x16" href="<?php e(appFaviconUrl('favicon-16x16.png')); ?>">
|
|
<link rel="apple-touch-icon" href="<?php e(appFaviconUrl('apple-touch-icon.png')); ?>">
|
|
<link rel="manifest" href="<?php e(asset('favicon/site.webmanifest')); ?>">
|
|
<?php renderTemplateStyles('login'); ?>
|
|
<?php renderPageStyles(); ?>
|
|
</head>
|
|
|
|
<body>
|
|
<main class="login-main">
|
|
<div class="container-small login-flash-container">
|
|
<?php require __DIR__ . '/partials/app-flash.phtml'; ?>
|
|
</div>
|
|
<div class="container-small login-content-container">
|
|
<?php Buffer::get('html'); ?>
|
|
</div>
|
|
</main>
|
|
<?php require __DIR__ . '/partials/app-footer.phtml'; ?>
|
|
<div id="gradient"></div>
|
|
<script type="module" src="<?php e(assetVersion('js/app-login-init.js')); ?>"></script>
|
|
</body>
|
|
|
|
</html>
|