Index: openacs-4/packages/xowiki/tcl/form-field-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/form-field-procs.tcl,v
diff -u -r1.248.2.38 -r1.248.2.39
--- openacs-4/packages/xowiki/tcl/form-field-procs.tcl	23 Dec 2016 14:33:02 -0000	1.248.2.38
+++ openacs-4/packages/xowiki/tcl/form-field-procs.tcl	2 Jan 2017 16:26:47 -0000	1.248.2.39
@@ -2723,7 +2723,7 @@
         ::html::div -class visual-clear {
           ;# maybe some comment
         }
-        ::html::script { html::t $js }
+        ::html::script -nonce [security::csp::nonce] { html::t $js }
       }
     } else {
       next
Index: openacs-4/packages/xowiki/tcl/yui-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/yui-procs.tcl,v
diff -u -r1.5.2.3 -r1.5.2.4
--- openacs-4/packages/xowiki/tcl/yui-procs.tcl	13 Sep 2016 10:50:23 -0000	1.5.2.3
+++ openacs-4/packages/xowiki/tcl/yui-procs.tcl	2 Jan 2017 16:26:47 -0000	1.5.2.4
@@ -117,7 +117,7 @@
         #ns_log notice "### propagate extrajs <[my set extrajs]> from [my info class] to [[my set __parent] info class]"
         [my set __parent] append extrajs [my set extrajs]
       } else {
-        html::script -type "text/javascript" {
+        html::script -nonce [security::csp::nonce] -type "text/javascript" {
           html::t "var [my js_name] = new YAHOO.widget.Menu(\"[my id]\", [my set configuration]);"
           html::t "
                         [my js_name].render();
@@ -251,7 +251,7 @@
           foreach li [my children] {$li render}
         }
       }
-      html::script -type "text/javascript" {
+      html::script -nonce [security::csp::nonce] -type "text/javascript" {
         html::t "var [my js_name] = new YAHOO.widget.ContextMenu('[my id]', { trigger: '[my set trigger]' } );"
         html::t "[my js_name].render(document.body);"
       }