From 9964285cae4ca2eb860fc187142a115a40edde19 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Mon, 8 Feb 2021 11:45:22 -0700
Subject: [PATCH] Fixed issue with `content-security-policy` not being properly
 supported with `http-equiv` + support single quotes

---
 CHANGELOG.md                                           |  1 +
 system/src/Grav/Common/Page/Page.php                   | 10 +++++-----
 .../Framework/Flex/Pages/Traits/PageLegacyTrait.php    |  4 ++--
 system/templates/partials/metadata.html.twig           |  4 ++--
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cde9a0700..b22141a1b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@
     * Improved session fixation handling in PHP 7.4+ (cannot fix it in PHP 7.3 due to PHP bug)
     * Added optional password/database attributes for redis in `system.yaml`
 1. [](#bugfix)
+    * Fixed issue with `content-security-policy` not being properly supported with `http-equiv` + support single quotes
     * Fixed CLI progressbar in `backup` and `security` commands to use styled output [#3198](https://github.com/getgrav/grav/issues/3198)
     * Fixed page save failing because of uploaded images [#3191](https://github.com/getgrav/grav/issues/3191)
     * Fixed `Flex Pages` using only default language in frontend [#106](https://github.com/trilbymedia/grav-plugin-flex-objects/issues/106)
diff --git a/system/src/Grav/Common/Page/Page.php b/system/src/Grav/Common/Page/Page.php
index 59ea1ee2c..d749c75b3 100644
--- a/system/src/Grav/Common/Page/Page.php
+++ b/system/src/Grav/Common/Page/Page.php
@@ -1665,7 +1665,7 @@ class Page implements PageInterface
 
         // if not metadata yet, process it.
         if (null === $this->metadata) {
-            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible'];
+            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible', 'content-security-policy'];
 
             $this->metadata = [];
 
@@ -1698,7 +1698,7 @@ class Page implements PageInterface
                         $this->metadata[$prop_key] = [
                             'name' => $prop_key,
                             'property' => $prop_key,
-                            'content' => $escape ? htmlspecialchars($prop_value, ENT_QUOTES, 'UTF-8') : $prop_value
+                            'content' => $escape ? htmlspecialchars($prop_value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $prop_value
                         ];
                     }
                 } else {
@@ -1707,16 +1707,16 @@ class Page implements PageInterface
                         if (in_array($key, $header_tag_http_equivs, true)) {
                             $this->metadata[$key] = [
                                 'http_equiv' => $key,
-                                'content' => $escape ? htmlspecialchars($value, ENT_QUOTES, 'UTF-8') : $value
+                                'content' => $escape ? htmlspecialchars($value, ENT_COMPAT, 'UTF-8') : $value
                             ];
                         } elseif ($key === 'charset') {
-                            $this->metadata[$key] = ['charset' => $escape ? htmlspecialchars($value, ENT_QUOTES, 'UTF-8') : $value];
+                            $this->metadata[$key] = ['charset' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value];
                         } else {
                             // if it's a social metadata with separator, render as property
                             $separator = strpos($key, ':');
                             $hasSeparator = $separator && $separator < strlen($key) - 1;
                             $entry = [
-                                'content' => $escape ? htmlspecialchars($value, ENT_QUOTES, 'UTF-8') : $value
+                                'content' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value
                             ];
 
                             if ($hasSeparator && !Utils::startsWith($key, 'twitter')) {
diff --git a/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php b/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php
index bc43a0429..ba81d8f29 100644
--- a/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php
+++ b/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php
@@ -619,7 +619,7 @@ trait PageLegacyTrait
             // Get initial metadata for the page
             $metadata = array_merge($defaultMetadata, $siteMetadata, $headerMetadata);
 
-            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible'];
+            $header_tag_http_equivs = ['content-type', 'default-style', 'refresh', 'x-ua-compatible', 'content-security-policy'];
             $escape = !$config->get('system.strict_mode.twig_compat', false) || $config->get('system.twig.autoescape', true);
 
             // Build an array of meta objects..
@@ -643,7 +643,7 @@ trait PageLegacyTrait
                     if (in_array($key, $header_tag_http_equivs, true)) {
                         $this->_metadata[$key] = [
                             'http_equiv' => $key,
-                            'content' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value
+                            'content' => $escape ? htmlspecialchars($value, ENT_COMPAT, 'UTF-8') : $value
                         ];
                     } elseif ($key === 'charset') {
                         $this->_metadata[$key] = ['charset' => $escape ? htmlspecialchars($value, ENT_QUOTES | ENT_HTML5, 'UTF-8') : $value];
diff --git a/system/templates/partials/metadata.html.twig b/system/templates/partials/metadata.html.twig
index bf323e7ab..fcf121773 100644
--- a/system/templates/partials/metadata.html.twig
+++ b/system/templates/partials/metadata.html.twig
@@ -1,3 +1,3 @@
 {% for meta in page.metadata %}
-    <meta {% if meta.name %}name="{{ meta.name }}" {% endif %}{% if meta.http_equiv %}http-equiv="{{ meta.http_equiv }}" {% endif %}{% if meta.charset %}charset="{{ meta.charset }}" {% endif %}{% if meta.property %}property="{{ meta.property }}" {% endif %}{% if meta.content %}content="{{ meta.content }}" {% endif %}/>
-{% endfor %}
\ No newline at end of file
+    <meta {% if meta.name %}name="{{ meta.name|e }}" {% endif %}{% if meta.http_equiv %}http-equiv="{{ meta.http_equiv|e }}" {% endif %}{% if meta.charset %}charset="{{ meta.charset|e }}" {% endif %}{% if meta.property %}property="{{ meta.property|e }}" {% endif %}{% if meta.content %}content="{{ meta.content|raw }}" {% endif %}/>
+{% endfor %}