Helpers::getNonce() accepts optional $attr parameter to return HTML attribute string

Author: dg

src/Tracy/Dumper/Dumper.php

@@ -171,7 +171,7 @@ public static function renderAssets(): void
 
 		$sent = true;
 
-		$nonceAttr = ($nonce = Helpers::getNonce()) ? ' nonce="' . Helpers::escapeHtml($nonce) . '"' : '';
+		$nonceAttr = Helpers::getNonce(attr: true);
 		$s = (Debugger::$showBar ? '' : file_get_contents(__DIR__ . '/../assets/reset.css'))
 			. file_get_contents(__DIR__ . '/../assets/toggle.css')
 			. file_get_contents(__DIR__ . '/assets/dumper-light.css')

src/Tracy/Helpers.php

@@ -333,10 +333,10 @@ public static function isCli(): bool
 
 
 	/** @internal */
-	public static function getNonce(): ?string
+	public static function getNonce(bool $attr = false): ?string
 	{
 		return preg_match('#^Content-Security-Policy(?:-Report-Only)?:.*\sscript-src(?:-elem)?\s+(?:[^;]+\s)?\'nonce-([\w+/]+=*)\'#mi', implode("\n", headers_list()), $m)
-			? $m[1]
+			? ($attr ? ' nonce="' . self::escapeHtml($m[1]) . '"' : $m[1])
 			: null;
 	}
 

tests/Tracy/Helpers.getNonce().phpt

@@ -23,6 +23,7 @@ test('no CSP header', function () {
 test('script-src with nonce', function () {
 	header("Content-Security-Policy: script-src 'nonce-abc123='");
 	Assert::same('abc123=', Helpers::getNonce());
+	Assert::same(' nonce="abc123="', Helpers::getNonce(attr: true));
 });