From 6ab268c16e374db128c7b85dbdaf8fe90875b94d Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Wed, 13 May 2026 11:18:35 -0700
Subject: [PATCH] fix(security): content security policy allows unsafe-eval

In lib/Controller/DisplayController.php, the ContentSecurityPolicy allows 'unsafe-eval' script domain. This severely weakens CSP protection and allows inline JavaScript execution, making the application vulnerable to XSS attacks.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 lib/Controller/DisplayController.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/Controller/DisplayController.php b/lib/Controller/DisplayController.php
index 645003b..48a6265 100644
--- a/lib/Controller/DisplayController.php
+++ b/lib/Controller/DisplayController.php
@@ -65,7 +65,6 @@ public function showMindmapViewer(): TemplateResponse {
         $policy->addAllowedFontDomain('data:');
         $policy->addAllowedImageDomain('*');
         $policy->addAllowedConnectDomain('data:');
-        $policy->addAllowedScriptDomain('\'unsafe-eval\'');
         $response->setContentSecurityPolicy($policy);
 
         return $response;