From e65d337c6416130c18348577f186b6e43d4f8ca6 Mon Sep 17 00:00:00 2001
From: Pieter Hoste <pieter@baldwin.be>
Date: Fri, 4 Jul 2025 15:50:32 +0200
Subject: [PATCH] Added csp support for inline scripts.

---
 view/frontend/templates/head/head.phtml     | 54 ++++++++++++++-------
 view/frontend/templates/order/success.phtml | 26 ++++++++--
 view/frontend/templates/trustbox.phtml      | 28 ++++++++---
 3 files changed, 79 insertions(+), 29 deletions(-)

diff --git a/view/frontend/templates/head/head.phtml b/view/frontend/templates/head/head.phtml
index 67a276c..d05bb1f 100755
--- a/view/frontend/templates/head/head.phtml
+++ b/view/frontend/templates/head/head.phtml
@@ -1,18 +1,27 @@
-<?php /* @var $block \Trustpilot\Reviews\Block\Head */?>
-<script type="text/javascript" async>
+<?php
+
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+use Trustpilot\Reviews\Block\Head as HeadBlock;
+
+/** @var SecureHtmlRenderer $secureRenderer */
+/** @var HeadBlock $block */
+
+?>
+<?php
+    $scriptStringPartOne = '
     var w = document.createElement("script");
     w.type = "text/javascript";
-    w.src = "<?php echo $block->getWidgetScriptUrl(); ?>";
+    w.src = "' . $block->escapeJs($block->getWidgetScriptUrl()) . '";
     w.async = true;
     document.head.appendChild(w);
-</script>
-<script type="text/javascript">
+';
+
+    $scriptStringPartTwo = '
     (function(w,d,s,r,n){w.TrustpilotObject=n;w[n]=w[n]||function(){(w[n].q=w[n].q||[]).push(arguments)};
-    a=d.createElement(s);a.async=1;a.src=r;a.type='text/java'+s;f=d.getElementsByTagName(s)[0];
-    f.parentNode.insertBefore(a,f)})(window,document,'script', '<?php echo $block->getScriptUrl(); ?>', 'tp');
-    tp('register','<?php echo $block->getInstallationKey(); ?>');
-</script>
-<script type="text/javascript">
+    a=d.createElement(s);a.async=1;a.src=r;a.type="text/java"+s;f=d.getElementsByTagName(s)[0];
+    f.parentNode.insertBefore(a,f)})(window,document,"script", "' . $block->escapeJs($block->getScriptUrl()) . '", "tp");
+    tp("register","' . $block->escapeJs($block->getInstallationKey()) . '");
+
     function inIframe () {
         try {
             return window.self !== window.top;
@@ -22,7 +31,7 @@
     }
 
     function tryParseJson(str) {
-        if (typeof str === 'string') {
+        if (typeof str === "string") {
             try {
                 return JSON.parse(str);
             } catch (e) {
@@ -33,14 +42,14 @@
     }
 
     if (inIframe()) {
-        window.addEventListener('message', function(e) {
+        window.addEventListener("message", function(e) {
             var adminOrign = new URL(window.location).hostname;
             var eventOriginHostname = new URL(e.origin).hostname;
             if (!e.data || adminOrign !== eventOriginHostname) {
                 return;
             }
-            if (typeof TrustpilotPreview !== 'undefined') {
-                if (typeof e.data === 'string' && e.data === 'submit') {
+            if (typeof TrustpilotPreview !== "undefined") {
+                if (typeof e.data === "string" && e.data === "submit") {
                     TrustpilotPreview.sendTrustboxes();
                 } else {
                     jsonData = tryParseJson(e.data);
@@ -56,13 +65,22 @@
                     var p = document.createElement("script");
                     p.type = "text/javascript";
                     p.onload = function () {
-                        const iFrame = e.source.parent.document.getElementById('configuration_iframe').contentWindow;
-                        TrustpilotPreview.init(['<?php echo $block->getPreviewCssUrl(); ?>'], settings, iFrame, e.source);
+                        const iFrame = e.source.parent.document.getElementById("configuration_iframe").contentWindow;
+                        TrustpilotPreview.init(["' . $block->escapeJs($block->getPreviewCssUrl()) . '"], settings, iFrame, e.source);
                     };
-                    p.src = '<?php echo $block->getPreviewScriptUrl(); ?>';
+                    p.src = "' . $block->escapeJs($block->getPreviewScriptUrl()) . '";
                     document.head.appendChild(p);
                 }
             }
         });
     }
-</script>
\ No newline at end of file
+';
+
+// checking on if SecureHtmlRenderer exists first, because this module is still compatible with Magento 2.3.x which doesn't include this class
+if (class_exists(SecureHtmlRenderer::class)) {
+    echo $secureRenderer->renderTag('script', ['async' => 'async'], $scriptStringPartOne, false);
+    echo $secureRenderer->renderTag('script', [], $scriptStringPartTwo, false);
+} else {
+    echo '<script async>' . $scriptStringPartOne . '</script>';
+    echo '<script>' . $scriptStringPartTwo . '</script>';
+}
diff --git a/view/frontend/templates/order/success.phtml b/view/frontend/templates/order/success.phtml
index 27abf42..59512b5 100755
--- a/view/frontend/templates/order/success.phtml
+++ b/view/frontend/templates/order/success.phtml
@@ -1,6 +1,22 @@
-<?php /* @var $block \Trustpilot\Reviews\Block\Success */?>     
-<script type="text/javascript">
-    document.addEventListener('DOMContentLoaded', function() {
-        tp('createInvitation',<?php echo $block->getOrder(); ?>);
+<?php
+
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+use Trustpilot\Reviews\Block\Success as SuccessBlock;
+
+/** @var SecureHtmlRenderer $secureRenderer */
+/** @var SuccessBlock $block */
+
+?>
+<?php
+    $scriptString = '
+    document.addEventListener("DOMContentLoaded", function() {
+        tp("createInvitation", ' .  $block->getOrder() . ');
     });
-</script>
\ No newline at end of file
+';
+
+// checking on if SecureHtmlRenderer exists first, because this module is still compatible with Magento 2.3.x which doesn't include this class
+if (class_exists(SecureHtmlRenderer::class)) {
+    echo $secureRenderer->renderTag('script', [], $scriptString, false);
+} else {
+    echo '<script>' . $scriptString . '</script>';
+}
diff --git a/view/frontend/templates/trustbox.phtml b/view/frontend/templates/trustbox.phtml
index 55660d3..4984a49 100755
--- a/view/frontend/templates/trustbox.phtml
+++ b/view/frontend/templates/trustbox.phtml
@@ -1,9 +1,25 @@
-<?php /* @var $block \Trustpilot\Reviews\Block\Trustbox */?>
-<script type="text/javascript" async>
-    const trustpilot_trustbox_settings = <?php echo $block->loadTrustboxes(); ?>;
+<?php
+
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+use Trustpilot\Reviews\Block\Trustbox as TrustboxBlock;
+
+/** @var SecureHtmlRenderer $secureRenderer */
+/** @var TrustboxBlock $block */
+
+?>
+<?php
+    $scriptString = '
+    const trustpilot_trustbox_settings = ' . $block->loadTrustboxes() . ';
     if (trustpilot_trustbox_settings) {
-        document.addEventListener('DOMContentLoaded', function() {
-            tp('trustBox', trustpilot_trustbox_settings);
+        document.addEventListener("DOMContentLoaded", function() {
+            tp("trustBox", trustpilot_trustbox_settings);
         });
     }
-</script>
\ No newline at end of file
+';
+
+// checking on if SecureHtmlRenderer exists first, because this module is still compatible with Magento 2.3.x which doesn't include this class
+if (class_exists(SecureHtmlRenderer::class)) {
+    echo $secureRenderer->renderTag('script', ['async' => 'async'], $scriptString, false);
+} else {
+    echo '<script async>' . $scriptString . '</script>';
+}