AC-11662 CSP - improve script rendering

tranthienbinh1989 · tranthienbinh1989 · commit d2a9e2f5843d · 2024-03-20T09:15:45.000-05:00
diff --git a/app/code/Magento/PageBuilder/view/adminhtml/templates/stage/render.phtml b/app/code/Magento/PageBuilder/view/adminhtml/templates/stage/render.phtml
@@ -4,32 +4,38 @@
  * See COPYING.txt for license details.
  */
 
-/** @var \Magento\PageBuilder\Block\Adminhtml\Stage\Render $block */
+/** @var \Magento\PageBuilder\Block\Adminhtml\Stage\Render $block
+ *  @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
+ */
 ?>
-<script>
-    <?php
-    /**
-     * Override the text! plugin within the iframe to ensure we can pipe any XHR requests through to the parent window
-     * as the same origin policy will not allow us to load the templates within this iframe.
-     */
-    ?>
-    require.config({
-        'map': {
-            '*': {
-                'text': 'Magento_PageBuilder/js/master-format/render/requirejs/text',
-                'Magento_PageBuilder/js/events': 'Magento_PageBuilder/js/master-format/render/events'
-            }
-        }
-    });
 
-    <?php
-    /**
-     * To be able to override the text plugin we need the Magento template engine to be used, as the template engine
-     * within lib has a dependency on the text! plugin we need to ensure we set the template engine before the
-     * dependency blocks us. If we try to just override using the RequireJS config above our !text plugin will never
-     * get overridden as our template engine cannot load.
-     */
-    ?>
+<?php
+/**
+ * Override the text! plugin within the iframe to ensure we can pipe any XHR requests through to the parent window
+ * as the same origin policy will not allow us to load the templates within this iframe.
+ */
+?>
+<?php
+$pageBuilderConfig = $block->getPageBuilderConfig();
+
+$script = <<<SCRIPT
+   require.config({
+       'map': {
+           '*': {
+               'text': 'Magento_PageBuilder/js/master-format/render/requirejs/text',
+               'Magento_PageBuilder/js/events': 'Magento_PageBuilder/js/master-format/render/events'
+           }
+       }
+   });
+SCRIPT;
+
+/**
+ * To be able to override the text plugin we need the Magento template engine to be used, as the template engine
+ * within lib has a dependency on the text! plugin we need to ensure we set the template engine before the
+ * dependency blocks us. If we try to just override using the RequireJS config above our !text plugin will never
+ * get overridden as our template engine cannot load.
+ */
+$script .= <<<SCRIPT
     require([
         'ko',
         'Magento_Ui/js/lib/knockout/template/engine'
@@ -39,10 +45,14 @@
         ko.uid = 0;
         ko.setTemplateEngine(templateEngine);
     });
-</script>
-<script>
+
     require(['Magento_PageBuilder/js/master-format/render/frame'], function (listen) {
-        listen(<?= /* @noEscape */ $block->getPageBuilderConfig(); ?>);
+        listen(${$pageBuilderConfig});
     });
-</script>
+?>
+SCRIPT;
+
+/* @noEscape */ $secureRenderer->renderTag('script', [], $script, false)
+?>
+
 <div>Page Builder Render Frame</div>
