Index: openacs-4/packages/richtext-xinha/tcl/richtext-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/richtext-xinha/tcl/richtext-procs.tcl,v
diff -u -r1.1.2.4 -r1.1.2.5
--- openacs-4/packages/richtext-xinha/tcl/richtext-procs.tcl	17 Aug 2016 05:00:23 -0000	1.1.2.4
+++ openacs-4/packages/richtext-xinha/tcl/richtext-procs.tcl	9 Sep 2016 08:32:34 -0000	1.1.2.5
@@ -83,7 +83,7 @@
         # Pass as well the actual package_id to xinha (for e.g. plugins)
         #
         append xinha_options "xinha_config.package_id = '[ad_conn package_id]';\n"
-        
+
         # DAVEB find out if there is a key datatype in the form
         if {[info exists ::af_key_name($form_id)]} {
             set key [template::element get_value $form_id $::af_key_name($form_id)]
@@ -97,6 +97,13 @@
         #ns_log notice "final ::acs_blank_master(xinha.options):\n$xinha_options"
         set ::acs_blank_master(xinha.options) $xinha_options
 
+        #
+        # add required directives for content security policies
+        #
+        security::csp::require script-src 'unsafe-eval'
+        security::csp::require script-src 'unsafe-inline'
+
+        
         return ""
     }
 
@@ -167,9 +174,8 @@
          }
          //window.onload = xinha_init;
       "
-
-        template::add_body_handler -event onload -script "xinha_init();"
-        template::add_script -src ${::xinha_dir}XinhaCore.js -section body
+        template::add_body_script -src ${::xinha_dir}XinhaCore.js
+        template::add_body_script -script "xinha_init();"
     }
 
 }