From 176b70650b4aa058984d20cfa7e6cd46ecbb6160 Mon Sep 17 00:00:00 2001
From: Serreau Jovann <jovann@siteconseil.fr>
Date: Thu, 26 Mar 2026 21:06:00 +0100
Subject: [PATCH] Add SRI integrity hashes for CDN scripts and replace md5 with
 xxh128 for cache keys

- Add integrity/crossorigin attributes to chart.js and html5-qrcode CDN scripts
- Replace md5() with hash('xxh128') for Meilisearch cache key generation (non-sensitive context)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/Service/MeilisearchService.php  | 2 +-
 templates/admin/analytics.html.twig | 2 +-
 templates/scanner/index.html.twig   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Service/MeilisearchService.php b/src/Service/MeilisearchService.php
index 9fe94f8..e1a614f 100644
--- a/src/Service/MeilisearchService.php
+++ b/src/Service/MeilisearchService.php
@@ -94,7 +94,7 @@ class MeilisearchService
      */
     public function search(string $index, string $query, array $options = []): array
     {
-        $cacheKey = 'ms_search_'.md5($index.$query.serialize($options));
+        $cacheKey = 'ms_search_'.hash('xxh128', $index.$query.serialize($options));
 
         return $this->cache->get($cacheKey, function (ItemInterface $item) use ($index, $query, $options) {
             $item->expiresAfter(300);
diff --git a/templates/admin/analytics.html.twig b/templates/admin/analytics.html.twig
index 9a0b28c..ad5123e 100644
--- a/templates/admin/analytics.html.twig
+++ b/templates/admin/analytics.html.twig
@@ -134,7 +134,7 @@
         </div>
     </div>
 
-    <script src="https://cdn.jsdelivr.net/npm/chart.js@4/dist/chart.umd.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/chart.js@4/dist/chart.umd.min.js" integrity="sha384-jb8JQMbMoBUzgWatfe6COACi2ljcDdZQ2OxczGA3bGNeWe+6DChMTBJemed7ZnvJ" crossorigin="anonymous">
     <script>
     (function() {
         const labels = {{ chart_labels|json_encode|raw }};
diff --git a/templates/scanner/index.html.twig b/templates/scanner/index.html.twig
index 72dc9b3..b9370f7 100644
--- a/templates/scanner/index.html.twig
+++ b/templates/scanner/index.html.twig
@@ -10,7 +10,7 @@
     <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
     <meta name="apple-mobile-web-app-title" content="Scanner">
     <link rel="apple-touch-icon" href="/logo.png">
-    <script src="https://cdn.jsdelivr.net/npm/html5-qrcode@2.3.8/html5-qrcode.min.js"></script>
+    <script src="https://cdn.jsdelivr.net/npm/html5-qrcode@2.3.8/html5-qrcode.min.js" integrity="sha384-c9d8RFSL+u3exBOJ4Yp3HUJXS4znl9f+z66d1y54ig+ea249SpqR+w1wyvXz/lk+" crossorigin="anonymous"></script>
     <style>
         *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
         body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: #111827; color: #f9fafb; min-height: 100dvh; }