From 3c85c6b52edbae22cf812e72680d210a644d9313 Mon Sep 17 00:00:00 2001
From: "Greg T. Wallace" <greg@gregtwallace.com>
Date: Sun, 31 Mar 2024 14:38:47 -0400
Subject: [PATCH] fix: csp nonce injection when no closing tag (#16281)
 (#16282)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: 翠 / green <green@sapphi.red>
---
 packages/vite/src/node/plugins/html.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts
index 19cc7b4c6cade2..232f9cc0e037a3 100644
--- a/packages/vite/src/node/plugins/html.ts
+++ b/packages/vite/src/node/plugins/html.ts
@@ -1189,8 +1189,13 @@ export function injectNonceAttributeTagHook(
               parseRelAttr(attr.value).some((a) => processRelType.has(a)),
           ))
       ) {
+        // if the closing of the start tag includes a `/`, the offset should be 2 so the nonce
+        // is appended prior to the `/`
+        const appendOffset =
+          html[node.sourceCodeLocation!.startTag!.endOffset - 2] === '/' ? 2 : 1
+
         s.appendRight(
-          node.sourceCodeLocation!.startTag!.endOffset - 1,
+          node.sourceCodeLocation!.startTag!.endOffset - appendOffset,
           ` nonce="${nonce}"`,
         )
       }