A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
inline JavaScript to execute if the script nonce matches the header
value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
so provide configuration to enable this and make it work.
To support this, we need to change all `:javascript` HAML filters to the
following form:
```
= javascript_tag nonce: true do
:plain
...
```
We use `%script` throughout our HAML to store JSON and other text, but
since this doesn't execute, browsers don't appear to block this content
from being used and require the nonce value to be present.
When using Matomo/Piwik integration, only integer website IDs can be used.
If using the "Protect Track ID" Matomo plugin (https://plugins.matomo.org/ProtectTrackID), website IDs are strings which the "_piwik.html.haml" layout file does not supports because it assumes "extra_config.piwik_site_id" variable contains an integer and prints it to JavaScript code without quotes.
This commits surrounds "extra_config.piwik_site_id" variable with double quotes (") so that it works with both integers and strings.
Issue: #61606
Stan Hu