From 7694edcc3bfa0228d7042f4329aa214e0413f422 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jun 03 2019 12:32:04 +0000
Subject: Generate a nonce per request and add it to every template on inline JS


Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/flask_app.py b/pagure/flask_app.py
index 8c31e08..d2829d6 100644
--- a/pagure/flask_app.py
+++ b/pagure/flask_app.py
@@ -13,6 +13,7 @@ from __future__ import unicode_literals, absolute_import
 import datetime
 import gc
 import logging
+import string
 import time
 import os
 
@@ -244,6 +245,9 @@ def set_request():
     flask.g.main_app = flask.current_app
     flask.g.version = pagure.__version__
     flask.g.confirmationform = pagure.forms.ConfirmationForm()
+    flask.g.nonce = pagure.lib.login.id_generator(
+        size=25, chars=string.ascii_letters + string.digits
+    )
 
     flask.g.issues_enabled = pagure_config.get("ENABLE_TICKETS", True)
 
diff --git a/pagure/templates/_render_repo.html b/pagure/templates/_render_repo.html
index 0e76bba..88ab963 100644
--- a/pagure/templates/_render_repo.html
+++ b/pagure/templates/_render_repo.html
@@ -325,7 +325,7 @@
       </div>
       </div>
     </div>
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       function padStr(i) {
           return (i < 10) ? "0" + i : "" + i;
       }
diff --git a/pagure/templates/activity.html b/pagure/templates/activity.html
index 9c2caba..938d77c 100644
--- a/pagure/templates/activity.html
+++ b/pagure/templates/activity.html
@@ -21,7 +21,7 @@
 
 {% block jscripts %}
 {{ super() }}
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
 function processMessages(item, lastitem) {
   if (item["topic"].indexOf("io.pagure.prod.pagure.pull-request") > -1 ){
     if (lastitem.valueOf() != new String("PR#"+item["msg"]["pullrequest"]["id"]).valueOf())
diff --git a/pagure/templates/add_group_project.html b/pagure/templates/add_group_project.html
index 9bc43a5..cf4a33b 100644
--- a/pagure/templates/add_group_project.html
+++ b/pagure/templates/add_group_project.html
@@ -75,7 +75,7 @@
 {{ super() }}
 <script type="text/javascript"
         src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 function set_up_group_list(url, query, callback) {
   $.getJSON(
       url, {
diff --git a/pagure/templates/add_token.html b/pagure/templates/add_token.html
index 756ad7b..fe2e3d1 100644
--- a/pagure/templates/add_token.html
+++ b/pagure/templates/add_token.html
@@ -66,7 +66,7 @@
   </div>
 </div>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
   function toggle() {
     var checkboxes = document.querySelectorAll('input[type="checkbox"]');
     for (var i = 0; i < checkboxes.length; i++) {
diff --git a/pagure/templates/add_user.html b/pagure/templates/add_user.html
index cc25de7..6913533 100644
--- a/pagure/templates/add_user.html
+++ b/pagure/templates/add_user.html
@@ -73,7 +73,7 @@
 {{ super() }}
 <script type="text/javascript"
         src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $( document ).ready(function() {
   var user_to_update = "{{ user_to_update }}";
   if (!user_to_update || user_to_update === "None") {
diff --git a/pagure/templates/blame.html b/pagure/templates/blame.html
index 72ee027..476b402 100644
--- a/pagure/templates/blame.html
+++ b/pagure/templates/blame.html
@@ -182,7 +182,7 @@ No content found in this repository
 
 <script>hljs.initHighlightingOnLoad();</script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 function updateHighlight() {
   var cls = "highlighted-line";
   $('.' + cls).removeClass(cls)
diff --git a/pagure/templates/comment_update.html b/pagure/templates/comment_update.html
index cd15c51..768d270 100644
--- a/pagure/templates/comment_update.html
+++ b/pagure/templates/comment_update.html
@@ -38,7 +38,7 @@
   </form>
 
 </section>
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $("#preview").hide();
     $("#edit_previewinmarkdown").click(
       function(event, ui) {
diff --git a/pagure/templates/commit.html b/pagure/templates/commit.html
index 2207b71..86bf756 100644
--- a/pagure/templates/commit.html
+++ b/pagure/templates/commit.html
@@ -495,7 +495,7 @@
     <script type="text/javascript"
       src="{{ url_for('static', filename='vendor/diff2html/diff2html-ui.min.js') }}?version={{ g.version}}"></script>
 
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       $(document).ready(function() {
         $(".diffcollapse").click(function(e){
           $(this).find("i").toggleClass("fa-caret-down fa-caret-up")
diff --git a/pagure/templates/commits.html b/pagure/templates/commits.html
index faaf4ee..0dc399c 100644
--- a/pagure/templates/commits.html
+++ b/pagure/templates/commits.html
@@ -209,7 +209,7 @@
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $(function(){
     $('.diff_commits_link').click(function(){
       $('#diff_commits').toggle();
diff --git a/pagure/templates/edit_file.html b/pagure/templates/edit_file.html
index 79a2364..9772029 100644
--- a/pagure/templates/edit_file.html
+++ b/pagure/templates/edit_file.html
@@ -115,7 +115,7 @@
 <script>var myCodeMirror = CodeMirror.fromTextArea(document.getElementById("textareaCode"), {
     lineNumbers: true
   });</script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 
 var lbranch = $('#branch').html();
 
diff --git a/pagure/templates/edit_group.html b/pagure/templates/edit_group.html
index b367366..3a3df2d 100644
--- a/pagure/templates/edit_group.html
+++ b/pagure/templates/edit_group.html
@@ -79,7 +79,7 @@
 
 <script type="text/javascript" src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}"></script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $('#user').selectize({
   valueField: 'user',
   labelField: 'user',
diff --git a/pagure/templates/file.html b/pagure/templates/file.html
index 520b03b..2d83b90 100644
--- a/pagure/templates/file.html
+++ b/pagure/templates/file.html
@@ -263,7 +263,7 @@ No content found in this repository
 <script type="text/javascript"
   src="{{ url_for('static', filename='vendor/highlight.js/spec.js') }}?version={{ g.version}}"></script>
 
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $(document).ready(function() {
   $('pre.syntaxhighlightblock code').each(function(i, block) {
     hljs.highlightBlock(block);
@@ -272,7 +272,7 @@ No content found in this repository
 });
 </script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
   function updateHighlight() {
     var cls = "highlighted-line";
     $('.' + cls).removeClass(cls)
diff --git a/pagure/templates/group_info.html b/pagure/templates/group_info.html
index e16846a..919f642 100644
--- a/pagure/templates/group_info.html
+++ b/pagure/templates/group_info.html
@@ -124,7 +124,7 @@
 {% block jscripts %}
   {{ super() }}
   <script src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}" type="text/javascript"> </script>
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="{{ g.nonce }}">
   $(document).ready(function() {
     $('#headerSearch').on('keypress keydown keyup', function(e) {
       if (e.which == 13) {
diff --git a/pagure/templates/group_list.html b/pagure/templates/group_list.html
index cd719ea..4a52d00 100644
--- a/pagure/templates/group_list.html
+++ b/pagure/templates/group_list.html
@@ -70,7 +70,7 @@
 {% block jscripts %}
     {{ super() }}
 <script src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}" type="text/javascript"> </script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
   $('#headerSearch').on('keypress keydown keyup', function(e) {
     if (e.which == 13) {
diff --git a/pagure/templates/index.html b/pagure/templates/index.html
index d0263f1..263c78f 100644
--- a/pagure/templates/index.html
+++ b/pagure/templates/index.html
@@ -40,7 +40,7 @@
 {% block jscripts %}
     {{ super() }}
 <script src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}" type="text/javascript"> </script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
 
   $('#headerSearch').on('keypress keydown keyup', function(e) {
diff --git a/pagure/templates/issue.html b/pagure/templates/issue.html
index a5425a7..325b6ab 100644
--- a/pagure/templates/issue.html
+++ b/pagure/templates/issue.html
@@ -657,7 +657,7 @@ namespace=repo.namespace, repo=repo.name, issueid=issueid)
 <script type="text/javascript" src="{{ url_for('static', filename='vendor/jquery.caret/jquery.caret.min.js') }}?version={{ g.version}}"></script>
 <script type="text/javascript" src="{{ url_for('static', filename='vendor/jquery.atwho/jquery.atwho.min.js') }}?version={{ g.version}}"></script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 
 {% if g.authenticated and form %}
 $(document).ready(function() {
@@ -850,7 +850,7 @@ $(document).ready(function() {
 {% endif %}
 
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 var source = null;
 var sse = true;
 
@@ -965,7 +965,7 @@ function try_async_comment(form) {
 </script>
 
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 {% if g.authenticated and (g.repo_user or issue.user.user == g.fas_user.username or open_access) %}
 function take_issue(){
   var _url = "{{ url_for('api_ns.api_assign_issue',
diff --git a/pagure/templates/issues.html b/pagure/templates/issues.html
index 488f4f8..a70ba38 100644
--- a/pagure/templates/issues.html
+++ b/pagure/templates/issues.html
@@ -538,7 +538,7 @@
 
 <script type="text/javascript"
   src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
 
     $("#search_pattern-selectize-reset").on('click', function(e){
diff --git a/pagure/templates/master.html b/pagure/templates/master.html
index 05c6ae6..78aff75 100644
--- a/pagure/templates/master.html
+++ b/pagure/templates/master.html
@@ -33,10 +33,10 @@
           {% if (config.get('ENABLE_NEW_PROJECTS', True) and config.get('ENABLE_UI_NEW_PROJECTS', True))
           or config.get('ENABLE_GROUP_MNGT', False)  %}
           <li class="nav-item dropdown ml-3">
-            <a class="nav-link dropdown-toggle font-weight-bold" 
+            <a class="nav-link dropdown-toggle font-weight-bold"
               data-toggle="dropdown"
               href="#"
-              role="button" aria-haspopup="true" 
+              role="button" aria-haspopup="true"
               aria-expanded="false">
             Create
             </a>
@@ -168,7 +168,7 @@
             filename='vendor/jquery/jquery.min.js') }}?version={{ g.version}}">
     </script>
     {{theme.js_imports()}}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ g.nonce }}">
 $('[data-toggle="tooltip"]').tooltip({placement : 'bottom'});
     </script>
     {% endblock %}
@@ -176,7 +176,7 @@ $('[data-toggle="tooltip"]').tooltip({placement : 'bottom'});
 {% if config['FEDMENU_URL'] %}
 <script src="{{ config['FEDMENU_URL'] }}/js/fedmenu.js"></script>
 <script src="{{ config['FEDMENU_URL'] }}/js/fedora-libravatar.js"></script>
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
   fedmenu({
     'url': '{{ config["FEDMENU_DATA_URL"] }}',
     'mimeType': 'application/javascript',
diff --git a/pagure/templates/new_issue.html b/pagure/templates/new_issue.html
index f2bdc0c..55f7c59 100644
--- a/pagure/templates/new_issue.html
+++ b/pagure/templates/new_issue.html
@@ -223,7 +223,7 @@
     src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}">
 </script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 {% if g.authenticated and form %}
 $(document).ready(function() {
   // Set up the handler for the file input box.
diff --git a/pagure/templates/new_project.html b/pagure/templates/new_project.html
index 4be5995..b649c49 100644
--- a/pagure/templates/new_project.html
+++ b/pagure/templates/new_project.html
@@ -55,7 +55,7 @@
 {% if config.get('PRIVATE_PROJECTS', False) %}
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 var _user = '{{ g.fas_user.username }}';
 $('#private').change(function(){
   var _private = $('#private').is(':checked');
diff --git a/pagure/templates/patchfile.html b/pagure/templates/patchfile.html
index 3a6d74c..ad98c0f 100644
--- a/pagure/templates/patchfile.html
+++ b/pagure/templates/patchfile.html
@@ -42,7 +42,7 @@
 <script type="text/javascript"
   src="{{ url_for('static', filename='vendor/highlight.js/spec.js') }}?version={{ g.version}}"></script>
 
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $(document).ready(function() {
   $('pre.syntaxhighlightblock code').each(function(i, block) {
     hljs.highlightBlock(block);
diff --git a/pagure/templates/pull_request_title.html b/pagure/templates/pull_request_title.html
index 5c67957..2d1d611 100644
--- a/pagure/templates/pull_request_title.html
+++ b/pagure/templates/pull_request_title.html
@@ -87,7 +87,7 @@
   src="{{ url_for('static', filename='vendor/jquery.atwho/jquery.atwho.min.js') }}?version={{ g.version}}">
 </script>
 
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $("#preview").hide();
   $("#edit_previewinmarkdown").click(
     function(event, ui) {
diff --git a/pagure/templates/repo_branches.html b/pagure/templates/repo_branches.html
index 4057b35..3880b5b 100644
--- a/pagure/templates/repo_branches.html
+++ b/pagure/templates/repo_branches.html
@@ -110,7 +110,7 @@
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(function() {
   {% if g.authenticated and g.repo_committer %}
   var _cnt = 0;
diff --git a/pagure/templates/repo_comparecommits.html b/pagure/templates/repo_comparecommits.html
index 850e2d5..5d2e1af 100644
--- a/pagure/templates/repo_comparecommits.html
+++ b/pagure/templates/repo_comparecommits.html
@@ -133,7 +133,7 @@
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 
 $(document).ready(function () {
   $('#show_hidden_commits a').click(function(e){
diff --git a/pagure/templates/repo_info.html b/pagure/templates/repo_info.html
index ba61e59..61fd04d 100644
--- a/pagure/templates/repo_info.html
+++ b/pagure/templates/repo_info.html
@@ -340,7 +340,7 @@ git push -u origin master</pre>
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
     {% if g.repo_watch_levels %}
         var currentWatchStatusButton = $('#watch_{{ g.repo_watch_levels | join('_') }}_button .check-icon span');
diff --git a/pagure/templates/repo_master.html b/pagure/templates/repo_master.html
index 0c238c3..d8560fb 100644
--- a/pagure/templates/repo_master.html
+++ b/pagure/templates/repo_master.html
@@ -293,13 +293,13 @@
         src="{{ url_for('static',
             filename='vendor/lazyload/lazyload.min.js') }}?version={{ g.version}}">
     </script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 window.addEventListener("load", function(event) {
     lazyload();
 });
 
 </script>
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $("#giturl-toggle").on('click', function(event){
   event.stopPropagation();
   $("#giturl-more").toggle();
diff --git a/pagure/templates/repo_new_pull_request.html b/pagure/templates/repo_new_pull_request.html
index 213d40e..a45d5cc 100644
--- a/pagure/templates/repo_new_pull_request.html
+++ b/pagure/templates/repo_new_pull_request.html
@@ -386,7 +386,7 @@
 <script type="text/javascript"
   src="{{ url_for('static', filename='request_ev.js') }}?version={{ g.version}}"></script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 
 function showTab(){
   $('#pr-tabs a[href="#request_diff"]').tab('show')
diff --git a/pagure/templates/repo_pull_request.html b/pagure/templates/repo_pull_request.html
index 60c25d8..acf62bd 100644
--- a/pagure/templates/repo_pull_request.html
+++ b/pagure/templates/repo_pull_request.html
@@ -764,7 +764,7 @@
 <script type="text/javascript"
   src="{{ url_for('static', filename='request_ev.js') }}?version={{ g.version}}"></script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 function cancel_edit_btn() {
   $(".cancel").unbind();
   $(".cancel").click(
@@ -1275,7 +1275,7 @@ function try_async_comment(form, inline) {
 
 </script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 var cur_hash = null;
 
 function highlight_comment() {
@@ -1627,7 +1627,7 @@ setup_btn_take_drop();
 
 
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 var source = null;
 var sse = true;
 {% if config['EVENTSOURCE_SOURCE'] and pull_request %}
diff --git a/pagure/templates/repo_stats.html b/pagure/templates/repo_stats.html
index 0c9a404..69599ab 100644
--- a/pagure/templates/repo_stats.html
+++ b/pagure/templates/repo_stats.html
@@ -42,7 +42,7 @@
 <script type="text/javascript" src="{{
   url_for('static', filename='issues_stats.js') }}?version={{ g.version}}"></script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 
 {% if g.repo_obj and g.repo_obj.is_empty %}
 var repo_exists = false;
diff --git a/pagure/templates/requests.html b/pagure/templates/requests.html
index 38a014b..9b3cc26 100644
--- a/pagure/templates/requests.html
+++ b/pagure/templates/requests.html
@@ -299,7 +299,7 @@
 
 <script type="text/javascript"
   src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
 
     $("#search_pattern-selectize-reset").on('click', function(e){
diff --git a/pagure/templates/settings.html b/pagure/templates/settings.html
index 24ee38d..3cd4403 100644
--- a/pagure/templates/settings.html
+++ b/pagure/templates/settings.html
@@ -1128,7 +1128,7 @@
 
 <script type="text/javascript" src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}"></script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 function updateform() {
   $('.custom-keys').change(function() {
     field_type = $(this).val();
@@ -1142,7 +1142,7 @@ function updateform() {
 updateform();
 </script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 function show_acls(acls) {
   var _txt = '<div title="ACLs details" id="show_meeting">'
     + '<ul>';
@@ -1461,7 +1461,7 @@ $('.ajaxed').click(function(e) {
 
 </script>
 
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $(document).ready(function() {
     $('#nav-tab a.nav-link').on('shown.bs.tab', function (e) {
       window.location.hash = e.target.hash;
diff --git a/pagure/templates/settings_options.html b/pagure/templates/settings_options.html
index e7c4838..288df4c 100644
--- a/pagure/templates/settings_options.html
+++ b/pagure/templates/settings_options.html
@@ -112,7 +112,7 @@ Project Options
 
 <script type="text/javascript"
   src="/static/vendor/jquery/jquery.min.js"></script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $(document).ready(function() {
     $('.help_content').hide();
 
diff --git a/pagure/templates/user_info.html b/pagure/templates/user_info.html
index d701a86..60e04cc 100644
--- a/pagure/templates/user_info.html
+++ b/pagure/templates/user_info.html
@@ -67,7 +67,7 @@
 
 {% block jscripts %}
     {{ super() }}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       $(function(){
         $('.show_parts input[type="checkbox"]').change(function(){
           $('#' + $(this).attr('name')).toggle();
@@ -75,7 +75,7 @@
       });
     </script>
 <script src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}" type="text/javascript"> </script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
   $('#headerSearch').on('keypress keydown keyup', function(e) {
     if (e.which == 13) {
diff --git a/pagure/templates/user_list.html b/pagure/templates/user_list.html
index b76122f..f1a3a2b 100644
--- a/pagure/templates/user_list.html
+++ b/pagure/templates/user_list.html
@@ -50,11 +50,11 @@
                 <span class="fa {{projecticon()}} pr-1"></span>
                  {{- user.repos_length}} &nbsp;
               </span>
-              <span title="Forks" data-toggle="tooltip"> 
+              <span title="Forks" data-toggle="tooltip">
                 <i class="fa fa-code-fork pr-1"></i>
                  {{- user.forks_length}} &nbsp;
               </span>
-              <span title="Groups" data-toggle="tooltip"> 
+              <span title="Groups" data-toggle="tooltip">
                 <span class="fa fa-users pr-1"></span>
                  {{- user.groups|count}}
               </span>
@@ -93,7 +93,7 @@
 {% block jscripts %}
     {{ super() }}
 <script src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}" type="text/javascript"> </script>
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
   $('#headerSearch').on('keypress keydown keyup', function(e) {
     if (e.which == 13) {
diff --git a/pagure/templates/user_settings.html b/pagure/templates/user_settings.html
index 39dd64c..4f41af4 100644
--- a/pagure/templates/user_settings.html
+++ b/pagure/templates/user_settings.html
@@ -336,7 +336,7 @@
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
   $(document).ready(function() {
     $('#nav-tab a.nav-link').on('shown.bs.tab', function (e) {
       window.location.hash = e.target.hash+'-tab';
diff --git a/pagure/templates/userdash_activity.html b/pagure/templates/userdash_activity.html
index 2a7d99f..c391f73 100644
--- a/pagure/templates/userdash_activity.html
+++ b/pagure/templates/userdash_activity.html
@@ -138,7 +138,7 @@
 
 {% block jscripts %}
     {{ super() }}
-    <script>
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       $(document).ready(function() {
         var $acls_selectize = $('#acls-selectize').selectize({
     onInitialize: function(){
diff --git a/pagure/templates/userdash_master.html b/pagure/templates/userdash_master.html
index 0ba45b9..eed8025 100644
--- a/pagure/templates/userdash_master.html
+++ b/pagure/templates/userdash_master.html
@@ -115,7 +115,7 @@
 {% block jscripts %}
 {{ super() }}
 <script src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}" type="text/javascript"> </script>
-<script>
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $('#userdash-search').selectize({
     persist: false,
     maxItems: 1,
diff --git a/pagure/templates/userdash_projects.html b/pagure/templates/userdash_projects.html
index 3c948a0..2d09804 100644
--- a/pagure/templates/userdash_projects.html
+++ b/pagure/templates/userdash_projects.html
@@ -310,7 +310,7 @@
 
 {% block jscripts %}
     {{ super() }}
-    <script>
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       $(document).ready(function() {
         var $acls_selectize = $('#acls-selectize').selectize({
     onInitialize: function(){
diff --git a/pagure/templates/userdash_template.html b/pagure/templates/userdash_template.html
index 4bef5e0..a1ddbac 100644
--- a/pagure/templates/userdash_template.html
+++ b/pagure/templates/userdash_template.html
@@ -276,7 +276,7 @@
 
 {% block jscripts %}
     {{ super() }}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       $(function(){
         $('.show_parts input[type="checkbox"]').change(function(){
           $('#' + $(this).attr('name')).toggle();
diff --git a/pagure/templates/userprofile_issues.html b/pagure/templates/userprofile_issues.html
index 0172902..130f24c 100644
--- a/pagure/templates/userprofile_issues.html
+++ b/pagure/templates/userprofile_issues.html
@@ -58,7 +58,7 @@
 
 {% block jscripts %}
     {{ super() }}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       count_issues(status='.issue-status-open');
       $(function(){
         $('.issues-tagbar .btn').click(function(){
diff --git a/pagure/templates/userprofile_pullrequests.html b/pagure/templates/userprofile_pullrequests.html
index a44c7bd..c3b54f5 100644
--- a/pagure/templates/userprofile_pullrequests.html
+++ b/pagure/templates/userprofile_pullrequests.html
@@ -66,7 +66,7 @@
 
 {% block jscripts %}
     {{ super() }}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ g.nonce }}">
       count_issues(status='.pr-status-open');
       $(function(){
         $('.issues-tagbar .btn').click(function(){
diff --git a/pagure/templates/waiting.html b/pagure/templates/waiting.html
index 06a675c..45ebfc5 100644
--- a/pagure/templates/waiting.html
+++ b/pagure/templates/waiting.html
@@ -32,7 +32,7 @@
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 var _delay = 1;
 var _cnt = '{{ count }}';
 
diff --git a/pagure/templates/waiting_post.html b/pagure/templates/waiting_post.html
index de45a04..204b676 100644
--- a/pagure/templates/waiting_post.html
+++ b/pagure/templates/waiting_post.html
@@ -40,7 +40,7 @@
 
 {% block jscripts %}
   {{ super() }}
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="{{ g.nonce }}">
     var _delay = 1;
     var _cnt = '{{ count }}';
 
diff --git a/pagure/themes/srcfpo/templates/group_info.html b/pagure/themes/srcfpo/templates/group_info.html
index 8302e06..20d66d6 100644
--- a/pagure/themes/srcfpo/templates/group_info.html
+++ b/pagure/themes/srcfpo/templates/group_info.html
@@ -130,7 +130,7 @@
 {% block jscripts %}
   {{ super() }}
   <script src="{{ url_for('static', filename='vendor/selectize/selectize.min.js') }}?version={{ g.version}}" type="text/javascript"> </script>
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="{{ g.nonce }}">
   $(document).ready(function() {
     $('#headerSearch').on('keypress keydown keyup', function(e) {
       if (e.which == 13) {
diff --git a/pagure/themes/srcfpo/templates/repo_branches.html b/pagure/themes/srcfpo/templates/repo_branches.html
index 529978a..99c349c 100644
--- a/pagure/themes/srcfpo/templates/repo_branches.html
+++ b/pagure/themes/srcfpo/templates/repo_branches.html
@@ -120,7 +120,7 @@
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 function disable_branches(){
   function get_branches(_url){
     $.ajax({
diff --git a/pagure/themes/srcfpo/templates/repo_info.html b/pagure/themes/srcfpo/templates/repo_info.html
index c93a8a7..db713d7 100644
--- a/pagure/themes/srcfpo/templates/repo_info.html
+++ b/pagure/themes/srcfpo/templates/repo_info.html
@@ -447,7 +447,7 @@ git push -u origin master</pre>
 
 {% block jscripts %}
 {{ super() }}
-<script type="text/javascript">
+<script type="text/javascript" nonce="{{ g.nonce }}">
 $(document).ready(function() {
     {% if g.repo_watch_levels %}
         var currentWatchStatusButton = $('#watch_{{ g.repo_watch_levels | join('_') }}_button .check-icon span');
diff --git a/pagure/themes/srcfpo/templates/repo_master_sidebar.html b/pagure/themes/srcfpo/templates/repo_master_sidebar.html
index ba0480a..34f43c3 100644
--- a/pagure/themes/srcfpo/templates/repo_master_sidebar.html
+++ b/pagure/themes/srcfpo/templates/repo_master_sidebar.html
@@ -109,7 +109,7 @@
     </div>
   </div>
 
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="{{ g.nonce }}">
     window.addEventListener('load', function() {
 
       set_up_monitoring = function(status){