apache
diff --git a/‎impl/src/main/java/org/apache/myfaces/context/servlet/PartialViewContextImpl.java‎
Lines changed: 3 additions & 0 deletions b/‎impl/src/main/java/org/apache/myfaces/context/servlet/PartialViewContextImpl.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎impl/src/main/java/org/apache/myfaces/renderkit/html/HtmlResponseWriterImpl.java‎
Lines changed: 2 additions & 0 deletions b/‎impl/src/main/java/org/apache/myfaces/renderkit/html/HtmlResponseWriterImpl.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎impl/src/main/java/org/apache/myfaces/renderkit/html/base/HtmlBodyRendererBase.java‎
Lines changed: 2 additions & 0 deletions b/‎impl/src/main/java/org/apache/myfaces/renderkit/html/base/HtmlBodyRendererBase.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎impl/src/main/java/org/apache/myfaces/renderkit/html/base/HtmlButtonRendererBase.java‎
Lines changed: 11 additions & 2 deletions b/‎impl/src/main/java/org/apache/myfaces/renderkit/html/base/HtmlButtonRendererBase.java‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎impl/src/main/java/org/apache/myfaces/renderkit/html/base/HtmlLinkRendererBase.java‎
Lines changed: 8 additions & 1 deletion b/‎impl/src/main/java/org/apache/myfaces/renderkit/html/base/HtmlLinkRendererBase.java‎
Lines changed: 8 additions & 1 deletion
@@ -59,6 +59,7 @@
 import org.apache.myfaces.context.PartialResponseWriterImpl;
 import org.apache.myfaces.context.RequestViewContext;
 import org.apache.myfaces.renderkit.html.HtmlResponseStateManager;
+import org.apache.myfaces.renderkit.html.util.CommonHtmlEventsUtil;
 import org.apache.myfaces.renderkit.html.util.ResourceUtils;
 import org.apache.myfaces.util.lang.StringUtils;
 import org.apache.myfaces.component.visit.MyFacesVisitHints;
@@ -572,6 +573,8 @@ else if (viewRoot.isTransient())
                 writer.writeText(cw.getId(), null);
                 writer.endUpdate();
             }
+
+            CommonHtmlEventsUtil.flushDeferredCspBehaviorScripts(context, writer);
         }
         catch (IOException ex)
         {
 
@@ -35,6 +35,7 @@
 import jakarta.faces.render.Renderer;
 
 import org.apache.myfaces.config.webparameters.MyfacesConfig;
+import org.apache.myfaces.renderkit.html.util.CommonHtmlEventsUtil;
 import org.apache.myfaces.core.api.shared.ComponentUtils;
 import org.apache.myfaces.renderkit.ContentTypeUtils;
 import org.apache.myfaces.renderkit.html.util.UnicodeEncoder;
@@ -306,6 +307,7 @@ public void startDocument()
     public void endDocument() throws IOException
     {
         FacesContext facesContext = getFacesContext();
+        CommonHtmlEventsUtil.flushDeferredCspBehaviorScripts(facesContext, this);
         MyfacesConfig myfacesConfig = MyfacesConfig.getCurrentInstance(facesContext);
         if (myfacesConfig.isEarlyFlushEnabled())
         {
 
@@ -158,6 +158,8 @@ public void encodeEnd(FacesContext facesContext, UIComponent component) throws I
                 child.encodeAll(facesContext);
             }
         }
+
+        CommonHtmlEventsUtil.flushDeferredCspBehaviorScripts(facesContext, writer);
 
         // render all unhandled FacesMessages when ProjectStage is Development
         if (facesContext.isProjectStage(ProjectStage.Development))
 
@@ -44,6 +44,7 @@
 
 import org.apache.myfaces.renderkit.ClientBehaviorEvents;
 import org.apache.myfaces.renderkit.RendererUtils;
+import org.apache.myfaces.renderkit.html.util.CommonHtmlEventsUtil;
 import org.apache.myfaces.renderkit.html.util.JavascriptUtils;
 import org.apache.myfaces.renderkit.html.util.ResourceUtils;
 import org.apache.myfaces.renderkit.html.util.HTML;
@@ -187,7 +188,11 @@ public void encodeBegin(FacesContext facesContext, UIComponent uiComponent) thro
                         form, validParams);
                 if (onClick.length() != 0)
                 {
-                    writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);
+                    if (!CommonHtmlEventsUtil.deferClientBehaviorScriptIfCspNonceActive(
+                            facesContext, clientId, HTML.ONCLICK_ATTR, onClick))
+                    {
+                        writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);
+                    }
                 }
             }
             else
@@ -201,7 +206,11 @@ public void encodeBegin(FacesContext facesContext, UIComponent uiComponent) thro
                         commandOnclick , null);
                 if (onClick.length() != 0)
                 {
-                    writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);
+                    if (!CommonHtmlEventsUtil.deferClientBehaviorScriptIfCspNonceActive(
+                            facesContext, clientId, HTML.ONCLICK_ATTR, onClick))
+                    {
+                        writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);
+                    }
                 }
             }
 
 
@@ -549,7 +549,14 @@ protected void renderBehaviorizedJavaScriptAnchorStart(FacesContext facesContext
 
         writer.startElement(HTML.ANCHOR_ELEM, component);
         writer.writeURIAttribute(HTML.HREF_ATTR, "#", null);
-        writer.writeAttribute(HTML.ONCLICK_ATTR, onclick, null);
+        if (onclick != null && !onclick.isEmpty())
+        {
+            if (!CommonHtmlEventsUtil.deferClientBehaviorScriptIfCspNonceActive(
+                    facesContext, clientId, HTML.ONCLICK_ATTR, onclick))
+            {
+                writer.writeAttribute(HTML.ONCLICK_ATTR, onclick, null);
+            }
+        }
     }
 
     private boolean hasSubmittingBehavior(Map<String, List<ClientBehavior>> clientBehaviors, String eventName)
Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@`
`59`	`59`	`import org.apache.myfaces.context.PartialResponseWriterImpl;`
`60`	`60`	`import org.apache.myfaces.context.RequestViewContext;`
`61`	`61`	`import org.apache.myfaces.renderkit.html.HtmlResponseStateManager;`
	`62`	`+import org.apache.myfaces.renderkit.html.util.CommonHtmlEventsUtil;`
`62`	`63`	`import org.apache.myfaces.renderkit.html.util.ResourceUtils;`
`63`	`64`	`import org.apache.myfaces.util.lang.StringUtils;`
`64`	`65`	`import org.apache.myfaces.component.visit.MyFacesVisitHints;`
`@@ -572,6 +573,8 @@ else if (viewRoot.isTransient())`
`572`	`573`	`writer.writeText(cw.getId(), null);`
`573`	`574`	`writer.endUpdate();`
`574`	`575`	`}`
	`576`	`+`
	`577`	`+ CommonHtmlEventsUtil.flushDeferredCspBehaviorScripts(context, writer);`
`575`	`578`	`}`
`576`	`579`	`catch (IOException ex)`
`577`	`580`	`{`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@`
`35`	`35`	`import jakarta.faces.render.Renderer;`
`36`	`36`
`37`	`37`	`import org.apache.myfaces.config.webparameters.MyfacesConfig;`
	`38`	`+import org.apache.myfaces.renderkit.html.util.CommonHtmlEventsUtil;`
`38`	`39`	`import org.apache.myfaces.core.api.shared.ComponentUtils;`
`39`	`40`	`import org.apache.myfaces.renderkit.ContentTypeUtils;`
`40`	`41`	`import org.apache.myfaces.renderkit.html.util.UnicodeEncoder;`
`@@ -306,6 +307,7 @@ public void startDocument()`
`306`	`307`	`public void endDocument() throws IOException`
`307`	`308`	`{`
`308`	`309`	`FacesContext facesContext = getFacesContext();`
	`310`	`+ CommonHtmlEventsUtil.flushDeferredCspBehaviorScripts(facesContext, this);`
`309`	`311`	`MyfacesConfig myfacesConfig = MyfacesConfig.getCurrentInstance(facesContext);`
`310`	`312`	`if (myfacesConfig.isEarlyFlushEnabled())`
`311`	`313`	`{`
Original file line number	Diff line number	Diff line change
`@@ -158,6 +158,8 @@ public void encodeEnd(FacesContext facesContext, UIComponent component) throws I`
`158`	`158`	`child.encodeAll(facesContext);`
`159`	`159`	`}`
`160`	`160`	`}`
	`161`	`+`
	`162`	`+ CommonHtmlEventsUtil.flushDeferredCspBehaviorScripts(facesContext, writer);`
`161`	`163`
`162`	`164`	`// render all unhandled FacesMessages when ProjectStage is Development`
`163`	`165`	`if (facesContext.isProjectStage(ProjectStage.Development))`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@`
`44`	`44`
`45`	`45`	`import org.apache.myfaces.renderkit.ClientBehaviorEvents;`
`46`	`46`	`import org.apache.myfaces.renderkit.RendererUtils;`
	`47`	`+import org.apache.myfaces.renderkit.html.util.CommonHtmlEventsUtil;`
`47`	`48`	`import org.apache.myfaces.renderkit.html.util.JavascriptUtils;`
`48`	`49`	`import org.apache.myfaces.renderkit.html.util.ResourceUtils;`
`49`	`50`	`import org.apache.myfaces.renderkit.html.util.HTML;`
`@@ -187,7 +188,11 @@ public void encodeBegin(FacesContext facesContext, UIComponent uiComponent) thro`
`187`	`188`	`form, validParams);`
`188`	`189`	`if (onClick.length() != 0)`
`189`	`190`	`{`
`190`		`- writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);`
	`191`	`+ if (!CommonHtmlEventsUtil.deferClientBehaviorScriptIfCspNonceActive(`
	`192`	`+ facesContext, clientId, HTML.ONCLICK_ATTR, onClick))`
	`193`	`+ {`
	`194`	`+ writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);`
	`195`	`+ }`
`191`	`196`	`}`
`192`	`197`	`}`
`193`	`198`	`else`
`@@ -201,7 +206,11 @@ public void encodeBegin(FacesContext facesContext, UIComponent uiComponent) thro`
`201`	`206`	`commandOnclick , null);`
`202`	`207`	`if (onClick.length() != 0)`
`203`	`208`	`{`
`204`		`- writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);`
	`209`	`+ if (!CommonHtmlEventsUtil.deferClientBehaviorScriptIfCspNonceActive(`
	`210`	`+ facesContext, clientId, HTML.ONCLICK_ATTR, onClick))`
	`211`	`+ {`
	`212`	`+ writer.writeAttribute(HTML.ONCLICK_ATTR, onClick, null);`
	`213`	`+ }`
`205`	`214`	`}`
`206`	`215`	`}`
`207`	`216`