injectBasePathHint splices a ` ` tag into the SPA shell so the bundled JS can route API calls through the configured prefix. A meta tag (instead of an inline script) keeps us inside the strict CSP — script-src is locked to 'self'.
(body []byte, basePath string)
| 1054 | // configured prefix. A meta tag (instead of an inline script) keeps us |
| 1055 | // inside the strict CSP — script-src is locked to 'self'. |
| 1056 | func injectBasePathHint(body []byte, basePath string) []byte { |
| 1057 | snippet := []byte(`<meta name="zn-base-path" content="` + htmlAttrEscape(basePath) + `">`) |
| 1058 | if idx := indexOfFold(body, []byte("</head>")); idx >= 0 { |
| 1059 | out := make([]byte, 0, len(body)+len(snippet)) |
| 1060 | out = append(out, body[:idx]...) |
| 1061 | out = append(out, snippet...) |
| 1062 | out = append(out, body[idx:]...) |
| 1063 | return out |
| 1064 | } |
| 1065 | return append(snippet, body...) |
| 1066 | } |
| 1067 | |
| 1068 | // htmlAttrEscape escapes the characters that would let a base-path |
| 1069 | // value break out of a double-quoted HTML attribute. |
no test coverage detected