Email Shortcode violated CSP

[jbspeakr]

Description

The Content Security Policy (CSP) prevents cross-site scripting attacks by blocking inline execution of scripts. However, the Doks-custom email shortcode leverages unsafe inline JS which renders the shortcode unusable. Adding a risky unsafe-inline as a source to the CSP header comes at the risk of script injection via injection of HTML script elements.

Steps to reproduce

Use the email shortcode on a page like {{< email user="hello" domain="example.com" >}}

Expected result

The email should get rendered on the page.

Actual result

No email is rendered as CSP is denying inline JS.

Environment

> @hyas/doks@0.5.0 precheck
> npm version

{
  '@hyas/doks': '0.5.0',
  npm: '9.6.3',
  node: '19.3.0',
  v8: '10.8.168.21-node.8',
  uv: '1.44.2',
  zlib: '1.2.11',
  brotli: '1.0.9',
  ares: '1.18.1',
  modules: '111',
  nghttp2: '1.51.0',
  napi: '8',
  llhttp: '8.1.0',
  uvwasi: '0.0.13',
  openssl: '1.1.1s',
  cldr: '41.0',
  icu: '71.1',
  tz: '2022a',
  unicode: '14.0'
}

> @hyas/doks@0.5.0 check
> exec-bin node_modules/.bin/hugo/hugo version

hugo v0.107.0-2221b5b30a285d01220a26a82305906ad3291880+extended darwin/arm64 BuildDate=2022-11-24T13:59:45Z VendorInfo=gohugoio