From a9cd1900435192ad0f9fefd0a6c4c99b370e7fe6 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 10 Oct 2023 16:50:25 +0900
Subject: [PATCH 1/2] test: add test

---
 tests/system/Honeypot/HoneypotTest.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tests/system/Honeypot/HoneypotTest.php b/tests/system/Honeypot/HoneypotTest.php
index 65b27e3e07d6..f3b4a659934f 100644
--- a/tests/system/Honeypot/HoneypotTest.php
+++ b/tests/system/Honeypot/HoneypotTest.php
@@ -100,6 +100,24 @@ public function testAttachHoneypotAndContainerWithCSP(): void
         $this->assertMatchesRegularExpression($regex, $this->response->getBody());
     }
 
+    public function testNotAttachHoneypotWithCSP(): void
+    {
+        $this->resetServices();
+
+        $config             = new App();
+        $config->CSPEnabled = true;
+        Factories::injectMock('config', 'App', $config);
+        $this->response = Services::response($config, false);
+
+        $this->config   = new HoneypotConfig();
+        $this->honeypot = new Honeypot($this->config);
+
+        $this->response->setBody('<head></head><body></body>');
+        $this->honeypot->attachHoneypot($this->response);
+
+        $this->assertSame('<head></head><body></body>', $this->response->getBody());
+    }
+
     public function testHasntContent(): void
     {
         unset($_POST[$this->config->name]);

From 4892849941ef46bd933fb92005ad5b6ec97df12d Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 10 Oct 2023 16:34:55 +0900
Subject: [PATCH 2/2] fix: CSP style nonce is added even if honeypot is not
 attached

The tag like this was added in <head> tag in every page.
<style nonce="ccdd15247e8da0a5b9023a5e">#hpc { display:none }</style>
---
 system/Honeypot/Honeypot.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/system/Honeypot/Honeypot.php b/system/Honeypot/Honeypot.php
index c2f3cf67cc7b..82da90020cac 100644
--- a/system/Honeypot/Honeypot.php
+++ b/system/Honeypot/Honeypot.php
@@ -89,16 +89,16 @@ public function attachHoneypot(ResponseInterface $response)
 
         $prepField = $this->prepareTemplate($this->config->template);
 
-        $body = $response->getBody();
-        $body = str_ireplace('</form>', $prepField . '</form>', $body);
+        $bodyBefore = $response->getBody();
+        $bodyAfter  = str_ireplace('</form>', $prepField . '</form>', $bodyBefore);
 
-        if ($response->getCSP()->enabled()) {
+        if ($response->getCSP()->enabled() && ($bodyBefore !== $bodyAfter)) {
             // Add style tag for the container tag in the head tag.
-            $style = '<style ' . csp_style_nonce() . '>#' . $this->config->containerId . ' { display:none }</style>';
-            $body  = str_ireplace('</head>', $style . '</head>', $body);
+            $style     = '<style ' . csp_style_nonce() . '>#' . $this->config->containerId . ' { display:none }</style>';
+            $bodyAfter = str_ireplace('</head>', $style . '</head>', $bodyAfter);
         }
 
-        $response->setBody($body);
+        $response->setBody($bodyAfter);
     }
 
     /**