From e0118484d96e8d2edff4d39a13e02a1b356d310d Mon Sep 17 00:00:00 2001
From: michalsn <michal@sniatala.pl>
Date: Sun, 8 Feb 2026 20:13:58 +0100
Subject: [PATCH 1/3] fix: escape CSP nonce attributes in JSON responses

---
 system/HTTP/ContentSecurityPolicy.php         |  8 +++--
 tests/system/Debug/ExceptionHandlerTest.php   | 33 ++++++++++++++++++
 .../system/HTTP/ContentSecurityPolicyTest.php | 34 +++++++++++++++++++
 user_guide_src/source/changelogs/v4.7.1.rst   |  2 ++
 4 files changed, 75 insertions(+), 2 deletions(-)

diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php
index 04d93365af25..f15a85df32d9 100644
--- a/system/HTTP/ContentSecurityPolicy.php
+++ b/system/HTTP/ContentSecurityPolicy.php
@@ -898,13 +898,17 @@ protected function generateNonces(ResponseInterface $response)
             return;
         }
 
+        // Escape quotes for JSON responses to prevent corrupting the JSON body
+        $jsonEscape = str_contains($response->getHeaderLine('Content-Type'), 'json');
+
         // Replace style and script placeholders with nonces
         $pattern = sprintf('/(%s|%s)/', preg_quote($this->styleNonceTag, '/'), preg_quote($this->scriptNonceTag, '/'));
 
-        $body = preg_replace_callback($pattern, function ($match): string {
+        $body = preg_replace_callback($pattern, function ($match) use ($jsonEscape): string {
             $nonce = $match[0] === $this->styleNonceTag ? $this->getStyleNonce() : $this->getScriptNonce();
+            $attr  = 'nonce="' . $nonce . '"';
 
-            return "nonce=\"{$nonce}\"";
+            return $jsonEscape ? str_replace('"', '\\"', $attr) : $attr;
         }, $body);
 
         $response->setBody($body);
diff --git a/tests/system/Debug/ExceptionHandlerTest.php b/tests/system/Debug/ExceptionHandlerTest.php
index a1958be5f36b..6b6dc3e41e4f 100644
--- a/tests/system/Debug/ExceptionHandlerTest.php
+++ b/tests/system/Debug/ExceptionHandlerTest.php
@@ -16,9 +16,12 @@
 use App\Controllers\Home;
 use CodeIgniter\Exceptions\PageNotFoundException;
 use CodeIgniter\Exceptions\RuntimeException;
+use CodeIgniter\HTTP\IncomingRequest;
+use CodeIgniter\HTTP\Response;
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\IniTestTrait;
 use CodeIgniter\Test\StreamFilterTrait;
+use Config\App;
 use Config\Exceptions as ExceptionsConfig;
 use Config\Services;
 use PHPUnit\Framework\Attributes\Group;
@@ -40,6 +43,8 @@ protected function setUp(): void
         parent::setUp();
 
         $this->handler = new ExceptionHandler(new ExceptionsConfig());
+
+        $this->resetServices();
     }
 
     public function testDetermineViewsPageNotFoundException(): void
@@ -386,4 +391,32 @@ public function testSanitizeDataWithScalars(): void
         $this->assertFalse($sanitizeData(false));
         $this->assertNull($sanitizeData(null));
     }
+
+    public function testHandleJsonResponseWithCSPEnabledProducesValidJson(): void
+    {
+        $config             = config(App::class);
+        $config->CSPEnabled = true;
+
+        /** @var IncomingRequest $request */
+        $request = service('incomingrequest', $config, false);
+        $request->setHeader('accept', 'application/json');
+        $response = new Response($config);
+        $response->pretend();
+
+        $exception = new RuntimeException('Test exception');
+
+        ob_start();
+        $this->handler->handle($exception, $request, $response, 500, EXIT_ERROR);
+        $output = ob_get_clean();
+
+        $json = json_decode($output);
+        $this->assertNotNull($json);
+
+        // Nonce placeholders must not appear in the output
+        $this->assertStringNotContainsString('{csp-style-nonce}', (string) $output);
+        $this->assertStringNotContainsString('{csp-script-nonce}', (string) $output);
+
+        // The nonce attribute values should be properly JSON-escaped
+        $this->assertMatchesRegularExpression('/nonce=\\\\"[A-Za-z0-9+\/=]+\\\\"/', $output);
+    }
 }
diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index af9638b6a8ba..cbde9db2bd32 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -937,4 +937,38 @@ public function testClearDirective(): void
         $this->assertNotContains('report-uri http://example.com/csp/reports', $directives);
         $this->assertNotContains('report-to default', $directives);
     }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testGenerateNoncesReplacesPlaceholdersInHtml(): void
+    {
+        $body = '<style {csp-style-nonce}>body{}</style><script {csp-script-nonce}>alert(1)</script>';
+
+        $this->response->setBody($body);
+        $this->csp->finalize($this->response);
+
+        $result = $this->response->getBody();
+
+        $this->assertMatchesRegularExpression('/<style nonce="[A-Za-z0-9+\/=]+">/', $result);
+        $this->assertMatchesRegularExpression('/<script nonce="[A-Za-z0-9+\/=]+">/', $result);
+        $this->assertStringNotContainsString('{csp-style-nonce}', (string) $result);
+        $this->assertStringNotContainsString('{csp-script-nonce}', (string) $result);
+    }
+
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testGenerateNoncesEscapesQuotesInJsonResponse(): void
+    {
+        $data = json_encode(['html' => '<script {csp-script-nonce}>alert(1)</script>']);
+
+        $this->response->setContentType('application/json');
+        $this->response->setBody($data);
+        $this->csp->finalize($this->response);
+
+        $result = $this->response->getBody();
+        $parsed = json_decode($result, true);
+
+        $this->assertNotNull($parsed);
+        $this->assertMatchesRegularExpression('/nonce="[A-Za-z0-9+\/=]+"/', $parsed['html']);
+    }
 }
diff --git a/user_guide_src/source/changelogs/v4.7.1.rst b/user_guide_src/source/changelogs/v4.7.1.rst
index 2761dcb50e19..b337ea2f78a2 100644
--- a/user_guide_src/source/changelogs/v4.7.1.rst
+++ b/user_guide_src/source/changelogs/v4.7.1.rst
@@ -30,6 +30,8 @@ Deprecations
 Bugs Fixed
 **********
 
+- **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
+
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_
 for a complete list of bugs fixed.

From b086066c1280b1716e129b9fbb9187759a50de16 Mon Sep 17 00:00:00 2001
From: michalsn <michal@sniatala.pl>
Date: Sun, 8 Feb 2026 20:48:40 +0100
Subject: [PATCH 2/3] remove environment-dependent CSP JSON test from
 ExceptionHandlerTest

---
 tests/system/Debug/ExceptionHandlerTest.php | 31 ---------------------
 1 file changed, 31 deletions(-)

diff --git a/tests/system/Debug/ExceptionHandlerTest.php b/tests/system/Debug/ExceptionHandlerTest.php
index 6b6dc3e41e4f..7bd7bdb35465 100644
--- a/tests/system/Debug/ExceptionHandlerTest.php
+++ b/tests/system/Debug/ExceptionHandlerTest.php
@@ -16,12 +16,9 @@
 use App\Controllers\Home;
 use CodeIgniter\Exceptions\PageNotFoundException;
 use CodeIgniter\Exceptions\RuntimeException;
-use CodeIgniter\HTTP\IncomingRequest;
-use CodeIgniter\HTTP\Response;
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\IniTestTrait;
 use CodeIgniter\Test\StreamFilterTrait;
-use Config\App;
 use Config\Exceptions as ExceptionsConfig;
 use Config\Services;
 use PHPUnit\Framework\Attributes\Group;
@@ -391,32 +388,4 @@ public function testSanitizeDataWithScalars(): void
         $this->assertFalse($sanitizeData(false));
         $this->assertNull($sanitizeData(null));
     }
-
-    public function testHandleJsonResponseWithCSPEnabledProducesValidJson(): void
-    {
-        $config             = config(App::class);
-        $config->CSPEnabled = true;
-
-        /** @var IncomingRequest $request */
-        $request = service('incomingrequest', $config, false);
-        $request->setHeader('accept', 'application/json');
-        $response = new Response($config);
-        $response->pretend();
-
-        $exception = new RuntimeException('Test exception');
-
-        ob_start();
-        $this->handler->handle($exception, $request, $response, 500, EXIT_ERROR);
-        $output = ob_get_clean();
-
-        $json = json_decode($output);
-        $this->assertNotNull($json);
-
-        // Nonce placeholders must not appear in the output
-        $this->assertStringNotContainsString('{csp-style-nonce}', (string) $output);
-        $this->assertStringNotContainsString('{csp-script-nonce}', (string) $output);
-
-        // The nonce attribute values should be properly JSON-escaped
-        $this->assertMatchesRegularExpression('/nonce=\\\\"[A-Za-z0-9+\/=]+\\\\"/', $output);
-    }
 }

From 1d90383e0b36c5bda5fb977545621856fdcee4e8 Mon Sep 17 00:00:00 2001
From: michalsn <michal@sniatala.pl>
Date: Mon, 9 Feb 2026 18:36:30 +0100
Subject: [PATCH 3/3] apply code suggestions

Co-authored-by: John Paul E. Balandan, CPA <paulbalandan@gmail.com>
---
 tests/system/HTTP/ContentSecurityPolicyTest.php | 6 ++++--
 user_guide_src/source/changelogs/v4.7.1.rst     | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php
index cbde9db2bd32..beafa54ce164 100644
--- a/tests/system/HTTP/ContentSecurityPolicyTest.php
+++ b/tests/system/HTTP/ContentSecurityPolicyTest.php
@@ -951,8 +951,9 @@ public function testGenerateNoncesReplacesPlaceholdersInHtml(): void
 
         $this->assertMatchesRegularExpression('/<style nonce="[A-Za-z0-9+\/=]+">/', $result);
         $this->assertMatchesRegularExpression('/<script nonce="[A-Za-z0-9+\/=]+">/', $result);
-        $this->assertStringNotContainsString('{csp-style-nonce}', (string) $result);
-        $this->assertStringNotContainsString('{csp-script-nonce}', (string) $result);
+        $this->assertIsString($result);
+        $this->assertStringNotContainsString('{csp-style-nonce}', $result);
+        $this->assertStringNotContainsString('{csp-script-nonce}', $result);
     }
 
     #[PreserveGlobalState(false)]
@@ -968,6 +969,7 @@ public function testGenerateNoncesEscapesQuotesInJsonResponse(): void
         $result = $this->response->getBody();
         $parsed = json_decode($result, true);
 
+        $this->assertSame(JSON_ERROR_NONE, json_last_error());
         $this->assertNotNull($parsed);
         $this->assertMatchesRegularExpression('/nonce="[A-Za-z0-9+\/=]+"/', $parsed['html']);
     }
diff --git a/user_guide_src/source/changelogs/v4.7.1.rst b/user_guide_src/source/changelogs/v4.7.1.rst
index b337ea2f78a2..04c7adb5004a 100644
--- a/user_guide_src/source/changelogs/v4.7.1.rst
+++ b/user_guide_src/source/changelogs/v4.7.1.rst
@@ -30,7 +30,7 @@ Deprecations
 Bugs Fixed
 **********
 
-- **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
+- **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` produces corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
 
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_