Prevent semicolons and CRLFs from being injected in report-uri

src/CSPBuilder.php

@@ -137,7 +137,7 @@ public function compile(): string
             if (!is_string($this->policies['report-uri'])) {
                 throw new TypeError('report-uri policy somehow not a string');
             }
-            $compiled [] = 'report-uri ' . $this->policies['report-uri'] . '; ';
+            $compiled [] = 'report-uri ' . $this->enc($this->policies['report-uri'], 'report-uri') . '; ';
         }
         if (!empty($this->policies['report-to'])) {
             if (!is_string($this->policies['report-to'])) {
@@ -1035,6 +1035,8 @@ protected function getHeaderKeys(bool $legacy = true): array
     protected function enc(string $piece, string $type = 'default'): string
     {
         switch ($type) {
+            case 'report-uri':
+                return str_replace(["\r", "\n", ';'], '', $piece);
             case 'mime':
                 if (preg_match('#^([a-z0-9\-/]+)#', $piece, $matches)) {
                     return $matches[1];

test/BasicTest.php

@@ -273,19 +273,19 @@ public function testSandbox()
         $csp->setDirective('sandbox');
         $compiled = $csp->compile();
 
-        $this->assertEquals($compiled, 'sandbox; ');
+        $this->assertEquals($compiled, 'sandbox');
 
         $csp->addSource('sandbox', 'allow-scripts');
         $compiled = $csp->compile();
 
-        $this->assertEquals($compiled, 'sandbox allow-scripts; ');
+        $this->assertEquals($compiled, 'sandbox allow-scripts');
 
         $csp->setDirective('sandbox', [
             'allow' => ['allow-popups-to-escape-sandbox'],
         ]);
         $compiled = $csp->compile();
 
-        $this->assertEquals($compiled, 'sandbox allow-popups-to-escape-sandbox; ');
+        $this->assertEquals($compiled, 'sandbox allow-popups-to-escape-sandbox');
     }
 
     /**