From 21de00b097187d1e4e479ea877df64bee22b60c9 Mon Sep 17 00:00:00 2001
From: Jacob Walls <jacobtylerwalls@gmail.com>
Date: Wed, 6 May 2026 14:03:45 -0400
Subject: [PATCH 1/2] Refs #36620 -- Mentioned coverage workflow uses
 PostgreSQL.

Before c507aaf9abeff4b93b7f9bdbc55801f2ccfc2d01, this workflow
used to run on SQLite.
---
 docs/internals/contributing/writing-code/unit-tests.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/internals/contributing/writing-code/unit-tests.txt b/docs/internals/contributing/writing-code/unit-tests.txt
index 657027a0334b..d19616e323fc 100644
--- a/docs/internals/contributing/writing-code/unit-tests.txt
+++ b/docs/internals/contributing/writing-code/unit-tests.txt
@@ -419,14 +419,14 @@ the lines that were changed or added in the PR. It shows:
 When reviewing coverage reports on pull requests, keep these limitations in
 mind:
 
-* **Database-specific code:** The CI coverage job runs tests using SQLite on
-  Windows. Code paths specific to other databases (PostgreSQL, MySQL, Oracle)
+* **Database-specific code:** The CI coverage job runs tests using PostgreSQL
+  on Ubuntu. Code paths specific to other databases (SQLite, MySQL, Oracle)
   will appear as "not covered" even if database-specific tests exist. This is
   expected and acceptable.
 
 * **Platform-specific code:** Similarly, code that only runs on certain
-  operating systems (Linux, macOS) will appear as not covered when run on
-  Windows.
+  operating systems (Windows, macOS) will appear as not covered when run on
+  Ubuntu.
 
 * **Coverage doesn't equal quality:** A line being "covered" only means it was
   executed during tests. It doesn't guarantee the line is well-tested or that

From 5686ce41958b21f0ae5bfa290e8d4420a6349c1b Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Wed, 25 Mar 2026 22:53:58 -0300
Subject: [PATCH 2/2] Fixed #36784 -- Added csp_nonce_attr template tag for CSP
 nonce inclusion.

New default tag `{% csp_nonce_attr %}` was added for explicit CSP nonce
inclusion into `<script>` and `<link>` elements.

`{% csp_nonce_attr %}` renders `nonce="<value>"` when `csp_nonce` is
present in the template context, and renders nothing otherwise.
`{% csp_nonce_attr media %}` renders a `Media` object's assets with the
nonce attr applied to each tag.

Thanks Jacob Walls for the accurate and spot on review comments.

Co-authored-by: Johannes Maron <johannes@maron.family>
---
 django/forms/widgets.py                       | 56 ++++++++----
 django/template/context_processors.py         |  3 +-
 django/template/defaulttags.py                |  7 +-
 django/utils/csp.py                           | 19 +++-
 docs/howto/csp.txt                            | 26 +++++-
 docs/ref/csp.txt                              | 38 ++++++--
 docs/ref/templates/builtins.txt               | 30 +++++++
 docs/releases/6.1.txt                         |  6 +-
 docs/topics/forms/media.txt                   |  4 +
 tests/forms_tests/tests/test_media.py         | 78 ++++++++++++++++
 .../syntax_tests/test_csp_nonce_attr.py       | 89 +++++++++++++++++++
 11 files changed, 326 insertions(+), 30 deletions(-)
 create mode 100644 tests/template_tests/syntax_tests/test_csp_nonce_attr.py

diff --git a/django/forms/widgets.py b/django/forms/widgets.py
index 1bcfeba2886e..697215540285 100644
--- a/django/forms/widgets.py
+++ b/django/forms/widgets.py
@@ -82,15 +82,28 @@ def __hash__(self):
         return hash(self._path)
 
     def __str__(self):
+        return self.render()
+
+    def __repr__(self):
+        return f"{type(self).__qualname__}({self._path!r})"
+
+    def render(self, *, attrs=None):
+        if (
+            attrs
+            and self.attributes
+            and (conflicts := attrs.keys() & self.attributes.keys())
+        ):
+            conflicts = ", ".join(sorted(conflicts))
+            raise ValueError(
+                f"{self.__class__.__qualname__} has conflicting attributes: "
+                f"{conflicts}"
+            )
         return format_html(
             self.element_template,
             path=self.path,
-            attributes=flatatt(self.attributes),
+            attributes=flatatt({**(attrs or {}), **self.attributes}),
         )
 
-    def __repr__(self):
-        return f"{type(self).__qualname__}({self._path!r})"
-
     @property
     def path(self):
         """
@@ -142,38 +155,47 @@ def _css(self):
     def _js(self):
         return self.merge(*self._js_lists)
 
-    def render(self):
+    def render(self, *, attrs=None):
         return mark_safe(
             "\n".join(
                 chain.from_iterable(
-                    getattr(self, "render_" + name)() for name in MEDIA_TYPES
+                    getattr(self, "render_" + name)(attrs=attrs) for name in MEDIA_TYPES
                 )
             )
         )
 
-    def render_js(self):
+    def render_js(self, *, attrs=None):
         return [
             (
-                path.__html__()
-                if hasattr(path, "__html__")
-                else format_html('<script src="{}"></script>', self.absolute_path(path))
+                path.render(attrs=attrs)
+                if isinstance(path, MediaAsset)
+                else (
+                    path.__html__()
+                    if hasattr(path, "__html__")
+                    else Script(path).render(attrs=attrs)
+                )
             )
             for path in self._js
         ]
 
-    def render_css(self):
+    def render_css(self, *, attrs=None):
         # To keep rendering order consistent, we can't just iterate over
         # items(). We need to sort the keys, and iterate over the sorted list.
         media = sorted(self._css)
         return chain.from_iterable(
             [
                 (
-                    path.__html__()
-                    if hasattr(path, "__html__")
-                    else format_html(
-                        '<link href="{}" media="{}" rel="stylesheet">',
-                        self.absolute_path(path),
-                        medium,
+                    path.render(attrs=attrs)
+                    if isinstance(path, MediaAsset)
+                    else (
+                        path.__html__()
+                        if hasattr(path, "__html__")
+                        else format_html(
+                            '<link href="{}" media="{}"{} rel="stylesheet">',
+                            self.absolute_path(path),
+                            medium,
+                            flatatt(attrs) if attrs else "",
+                        )
                     )
                 )
                 for path in self._css[medium]
diff --git a/django/template/context_processors.py b/django/template/context_processors.py
index 214972de530e..1ff894ecfe96 100644
--- a/django/template/context_processors.py
+++ b/django/template/context_processors.py
@@ -12,6 +12,7 @@
 from django.conf import settings
 from django.middleware.csp import get_nonce
 from django.middleware.csrf import get_token
+from django.utils.csp import CONTEXT_KEY as CSP_CONTEXT_KEY
 from django.utils.functional import SimpleLazyObject, lazy
 
 
@@ -94,4 +95,4 @@ def csp(request):
     """
     Add the CSP nonce to the context.
     """
-    return {"csp_nonce": get_nonce(request)}
+    return {CSP_CONTEXT_KEY: get_nonce(request)}
diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py
index 3348e6426312..4f43b0242f0d 100644
--- a/django/template/defaulttags.py
+++ b/django/template/defaulttags.py
@@ -11,7 +11,7 @@
 
 from django.conf import settings
 from django.http import QueryDict
-from django.utils import timezone
+from django.utils import csp, timezone
 from django.utils.datastructures import DeferredSubDict
 from django.utils.html import conditional_escape, escape, format_html
 from django.utils.lorem_ipsum import paragraphs, words
@@ -1685,3 +1685,8 @@ def do_with(parser, token):
     nodelist = parser.parse(("endwith",))
     parser.delete_first_token()
     return WithNode(None, None, nodelist, extra_context=extra_context)
+
+
+@register.simple_tag(takes_context=True)
+def csp_nonce_attr(context, media=None):
+    return csp.nonce_attr(context, media)
diff --git a/django/utils/csp.py b/django/utils/csp.py
index 08a9d0752e38..08aaed685af7 100644
--- a/django/utils/csp.py
+++ b/django/utils/csp.py
@@ -2,6 +2,10 @@
 from enum import StrEnum
 
 from django.utils.functional import SimpleLazyObject, empty
+from django.utils.html import format_html
+
+# Template context key for the CSP nonce.
+CONTEXT_KEY = "csp_nonce"
 
 
 class CSP(StrEnum):
@@ -63,10 +67,10 @@ class LazyNonce(SimpleLazyObject):
 
     Example Django template usage with context processors enabled:
 
-        <script{% if csp_nonce %} nonce="{{ csp_nonce }}"...{% endif %}>
+        <script {% csp_nonce_attr %}></script>
 
-    The `{% if %}` block will only render if the nonce has been evaluated
-    elsewhere.
+    ``{% csp_nonce_attr %}`` will only render the nonce attribute if the nonce
+    has been evaluated (i.e. accessed) elsewhere in the request/response cycle.
 
     """
 
@@ -77,6 +81,15 @@ def __bool__(self):
         return self._wrapped is not empty
 
 
+def nonce_attr(context, media=None):
+    nonce = context.get(CONTEXT_KEY)
+    if media:
+        return media.render(attrs={"nonce": nonce} if nonce is not None else None)
+    if nonce is None:
+        return ""
+    return format_html('nonce="{}"', nonce)
+
+
 def generate_nonce():
     return secrets.token_urlsafe(16)
 
diff --git a/docs/howto/csp.txt b/docs/howto/csp.txt
index 756f815bf255..f37bb2a82ad9 100644
--- a/docs/howto/csp.txt
+++ b/docs/howto/csp.txt
@@ -73,8 +73,10 @@ To use nonces in your CSP policy, beside the basic config, you need to:
         },
     ]
 
-3. In your templates, add the ``nonce`` attribute to the relevant inline
-   ``<style>`` or ``<script>`` tags, using the ``csp_nonce`` context variable:
+3. In your templates, add the nonce to elements that require it:
+
+   For inline ``<style>`` or ``<script>`` tags, use the ``csp_nonce`` context
+   variable directly:
 
    .. code-block:: html+django
 
@@ -86,6 +88,26 @@ To use nonces in your CSP policy, beside the basic config, you need to:
         // This inline JavaScript will be allowed.
       </script>
 
+   For external ``<script src="...">`` and ``<link rel="stylesheet">``
+   elements, use the :ttag:`csp_nonce_attr` template tag:
+
+   .. code-block:: html+django
+
+      <script src="/path/to/script.js" {% csp_nonce_attr %}></script>
+      <link rel="stylesheet" href="/path/to/style.css" {% csp_nonce_attr %}>
+
+   To render a :class:`~django.forms.Media` object's assets with the nonce
+   applied to each element, pass the object to the :ttag:`csp_nonce_attr` tag:
+
+   .. code-block:: html+django
+
+      {% csp_nonce_attr form.media %}
+
+   .. versionchanged:: 6.1
+
+       The :ttag:`csp_nonce_attr` template tag was added, including support for
+       rendering :class:`~django.forms.Media` objects.
+
 .. admonition:: Caching and Nonce Reuse
 
    The :class:`~django.middleware.csp.ContentSecurityPolicyMiddleware`
diff --git a/docs/ref/csp.txt b/docs/ref/csp.txt
index b5bf0c5f2e15..0498d90ab8c3 100644
--- a/docs/ref/csp.txt
+++ b/docs/ref/csp.txt
@@ -260,16 +260,43 @@ expression into the CSP header.
 
 To use this nonce in templates, the
 :func:`~django.template.context_processors.csp` context processor needs to be
-enabled. It adds a ``csp_nonce`` variable to the template context, allowing
-inline elements to include a matching ``nonce="{{ csp_nonce }}"`` attribute in
-inline scripts or styles.
+enabled. It adds a ``csp_nonce`` variable to the template context.
+
+.. versionchanged:: 6.1
+
+    The :ttag:`csp_nonce_attr` template tag was added, including support for
+    rendering :class:`~django.forms.Media` objects.
+
+For inline ``<script>`` and ``<style>`` elements, include the nonce directly
+using the context variable:
+
+.. code-block:: html+django
+
+    <script nonce="{{ csp_nonce }}">
+      // This inline JavaScript will be allowed.
+    </script>
+
+For external ``<script src="...">`` and ``<link rel="stylesheet">`` elements,
+use the :ttag:`csp_nonce_attr` template tag:
+
+.. code-block:: html+django
+
+    <script src="/path/to/script.js" {% csp_nonce_attr %}></script>
+    <link rel="stylesheet" href="/path/to/style.css" {% csp_nonce_attr %}>
+
+To render a :class:`~django.forms.Media` object's assets with the nonce
+applied, pass the object to the :ttag:`csp_nonce_attr` template tag:
+
+.. code-block:: html+django
+
+    {% csp_nonce_attr form.media %}
 
 The browser will only execute inline elements that include a ``nonce=<value>``
 attribute matching the one specified in the ``Content-Security-Policy`` (or
 ``Content-Security-Policy-Report-Only``) header. This mechanism provides
 fine-grained control over which inline code is allowed to run.
 
-If a template includes ``{{ csp_nonce }}`` but the policy does not include
+If a template includes the CSP nonce but the policy does not include
 :attr:`~django.utils.csp.CSP.NONCE`, the HTML will include a nonce attribute,
 but the header will lack the required source expression. In this case, the
 browser will block the inline script or style (or report it for report-only
@@ -291,7 +318,8 @@ the nonce and weakens security.
 
 To ensure nonce-based policies remain effective:
 
-* Avoid caching full responses that include ``{{ csp_nonce }}``.
+* Avoid caching full responses that include ``{{ csp_nonce }}`` or
+  :ttag:`csp_nonce_attr`.
 * If caching is necessary, use a strategy that injects a fresh nonce on each
   request, or consider refactoring your application to avoid inline scripts and
   styles altogether.
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 94ec4a6be5f4..6f491e2e772a 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -101,6 +101,36 @@ Sample usage:
 This tag is used for CSRF protection, as described in the documentation for
 :doc:`Cross Site Request Forgeries </ref/csrf>`.
 
+.. templatetag:: csp_nonce_attr
+
+``csp_nonce_attr``
+------------------
+
+.. versionadded:: 6.1
+
+When called without arguments, renders a ``nonce="<value>"`` HTML attribute
+when the :func:`~django.template.context_processors.csp` context processor is
+configured, and an empty string otherwise. Use it in ``<script>`` or
+``<link>`` elements to allow them under a nonce-based Content Security Policy:
+
+.. code-block:: html+django
+
+    <script src="/path/to/script.js" {% csp_nonce_attr %}></script>
+    <link rel="stylesheet" href="/path/to/style.css" {% csp_nonce_attr %}>
+
+When called with a :class:`~django.forms.Media` object as the argument,
+renders its assets with the CSP nonce applied to each ``<script>`` and
+``<link>`` element:
+
+.. code-block:: html+django
+
+    {% csp_nonce_attr form.media %}
+
+In both forms, if the context processor is not configured, assets are rendered
+without a nonce attribute.
+
+See :ref:`csp-nonce` for full configuration details.
+
 .. templatetag:: cycle
 
 ``cycle``
diff --git a/docs/releases/6.1.txt b/docs/releases/6.1.txt
index 50e4f63f5e1b..d0250d3798a9 100644
--- a/docs/releases/6.1.txt
+++ b/docs/releases/6.1.txt
@@ -217,7 +217,11 @@ Cache
 CSP
 ~~~
 
-* ...
+* The new :ttag:`csp_nonce_attr` template tag renders the CSP nonce attribute
+  on ``<script>`` and ``<link>`` elements, or renders a
+  :class:`~django.forms.Media` object's assets with the nonce applied, when the
+  :func:`~django.template.context_processors.csp` context processor is
+  configured. See :ref:`csp-nonce` for details.
 
 CSRF
 ~~~~
diff --git a/docs/topics/forms/media.txt b/docs/topics/forms/media.txt
index 604efa7d369a..061231c6d127 100644
--- a/docs/topics/forms/media.txt
+++ b/docs/topics/forms/media.txt
@@ -322,6 +322,10 @@ HTML:
 ``Media`` objects
 =================
 
+.. class:: Media
+
+    Represents a collection of media assets required by a widget or form.
+
 When you interrogate the ``media`` attribute of a widget or form, the
 value that is returned is a ``forms.Media`` object. As we have already
 seen, the string representation of a ``Media`` object is the HTML
diff --git a/tests/forms_tests/tests/test_media.py b/tests/forms_tests/tests/test_media.py
index c1d0c0a56856..948ba6ec9b52 100644
--- a/tests/forms_tests/tests/test_media.py
+++ b/tests/forms_tests/tests/test_media.py
@@ -72,6 +72,18 @@ def test_path(self):
         asset = MediaAsset("//absolute/path/to/css")
         self.assertEqual(asset.path, "//absolute/path/to/css")
 
+    def test_render_attrs_conflict(self):
+        asset = MediaAsset("/path/to/asset", nonce="static")
+        msg = "MediaAsset has conflicting attributes: nonce"
+        with self.assertRaisesMessage(ValueError, msg):
+            asset.render(attrs={"nonce": "dynamic"})
+
+    def test_render_attrs_multiple_conflicts(self):
+        asset = MediaAsset("/path/to/asset", integrity="sha256-abc", nonce="static")
+        msg = "MediaAsset has conflicting attributes: integrity, nonce"
+        with self.assertRaisesMessage(ValueError, msg):
+            asset.render(attrs={"integrity": "sha256-xyz", "nonce": "dynamic"})
+
 
 @override_settings(STATIC_URL="http://media.example.com/static/")
 class ScriptTestCase(SimpleTestCase):
@@ -90,6 +102,35 @@ def test_str(self):
             '<script src="http://media.example.com/static/path/to/js" async></script>',
         )
 
+    def test_render_with_attrs(self):
+        script = Script("/path/to/js", integrity="sha256-abc")
+        self.assertHTMLEqual(
+            script.render(attrs={"nonce": "abc123"}),
+            '<script src="/path/to/js" integrity="sha256-abc" nonce="abc123"></script>',
+        )
+
+    def test_render_attrs_conflict(self):
+        script = Script("/path/to/js", nonce="static")
+        msg = "Script has conflicting attributes: nonce"
+        with self.assertRaisesMessage(ValueError, msg):
+            script.render(attrs={"nonce": "dynamic"})
+
+
+@override_settings(STATIC_URL="http://media.example.com/static/")
+class CSSTestCase(SimpleTestCase):
+    def test_render_with_attrs(self):
+        asset = CSS("/path/to/css")
+        self.assertHTMLEqual(
+            asset.render(attrs={"nonce": "abc123"}),
+            '<link href="/path/to/css" nonce="abc123" rel="stylesheet">',
+        )
+
+    def test_render_attrs_conflict(self):
+        asset = CSS("/path/to/css", nonce="static")
+        msg = "CSS has conflicting attributes: nonce"
+        with self.assertRaisesMessage(ValueError, msg):
+            asset.render(attrs={"nonce": "dynamic"})
+
 
 @override_settings(
     STATIC_URL="http://media.example.com/static/",
@@ -799,6 +840,43 @@ def test_add_empty(self):
         self.assertEqual(merged._css_lists, [{"screen": ["a.css"]}])
         self.assertEqual(merged._js_lists, [["a"]])
 
+    def test_render_js_with_attrs(self):
+        media = Media(js=[Script("/path/to/js", integrity="sha256-abc")])
+        self.assertHTMLEqual(
+            media.render(attrs={"nonce": "abc123"}),
+            '<script src="/path/to/js" integrity="sha256-abc" nonce="abc123"></script>',
+        )
+
+    def test_render_css_with_attrs(self):
+        media = Media(css={"all": [CSS("/path/to/css", media="print")]})
+        self.assertHTMLEqual(
+            media.render(attrs={"nonce": "abc123"}),
+            '<link href="/path/to/css" media="print" nonce="abc123" rel="stylesheet">',
+        )
+
+    def test_render_css_string_path_with_attrs(self):
+        media = Media(css={"all": ["/path/to/css"]})
+        self.assertHTMLEqual(
+            media.render(attrs={"nonce": "abc123"}),
+            '<link href="/path/to/css" media="all" nonce="abc123" rel="stylesheet">',
+        )
+
+    def test_render_attrs_conflict(self):
+        cases = [
+            (
+                Media(js=[Script("/path/to/js", nonce="static")]),
+                "Script has conflicting attributes: nonce",
+            ),
+            (
+                Media(css={"all": [CSS("/path/to/css", nonce="static")]}),
+                "CSS has conflicting attributes: nonce",
+            ),
+        ]
+        for media, msg in cases:
+            with self.subTest(msg=msg):
+                with self.assertRaisesMessage(ValueError, msg):
+                    media.render(attrs={"nonce": "dynamic"})
+
 
 @override_settings(
     STATIC_URL="http://media.example.com/static/",
diff --git a/tests/template_tests/syntax_tests/test_csp_nonce_attr.py b/tests/template_tests/syntax_tests/test_csp_nonce_attr.py
new file mode 100644
index 000000000000..4ea159d0ecba
--- /dev/null
+++ b/tests/template_tests/syntax_tests/test_csp_nonce_attr.py
@@ -0,0 +1,89 @@
+from django.forms import Media
+from django.forms.widgets import Script
+from django.template import Context, Template
+from django.test import SimpleTestCase, override_settings
+
+
+@override_settings(STATIC_URL="/static/")
+class CspNonceTagTests(SimpleTestCase):
+    def test_with_nonce_in_context(self):
+        t = Template("<script {% csp_nonce_attr %}></script>")
+        result = t.render(Context({"csp_nonce": "abc123"}))
+        self.assertEqual(result, '<script nonce="abc123"></script>')
+
+    def test_without_csp_nonce_in_context(self):
+        t = Template("<script {% csp_nonce_attr %}></script>")
+        result = t.render(Context())
+        self.assertEqual(result, "<script ></script>")
+
+    def test_with_csp_nonce_none(self):
+        t = Template("<script {% csp_nonce_attr %}></script>")
+        result = t.render(Context({"csp_nonce": None}))
+        self.assertEqual(result, "<script ></script>")
+
+    def test_nonce_is_escaped(self):
+        t = Template("<script {% csp_nonce_attr %}></script>")
+        result = t.render(Context({"csp_nonce": '<script>"'}))
+        self.assertIn("&lt;", result)
+        self.assertNotIn("<script>", result)
+
+
+@override_settings(STATIC_URL="/static/")
+class CspNonceTagWithMediaTests(SimpleTestCase):
+    def test_with_nonce_in_context(self):
+        media = Media(js=["/path/to/js"])
+        t = Template("{% csp_nonce_attr media %}")
+        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
+        self.assertHTMLEqual(
+            result,
+            '<script src="/path/to/js" nonce="abc123"></script>',
+        )
+
+    def test_without_csp_nonce_in_context(self):
+        media = Media(js=["/path/to/js"])
+        t = Template("{% csp_nonce_attr media %}")
+        result = t.render(Context({"media": media}))
+        self.assertHTMLEqual(result, '<script src="/path/to/js"></script>')
+
+    def test_with_csp_nonce_none(self):
+        media = Media(js=["/path/to/js"])
+        t = Template("{% csp_nonce_attr media %}")
+        result = t.render(Context({"media": media, "csp_nonce": None}))
+        self.assertHTMLEqual(result, '<script src="/path/to/js"></script>')
+
+    def test_css_and_js(self):
+        media = Media(
+            css={"all": ["/path/to/css"]},
+            js=["/path/to/js"],
+        )
+        t = Template("{% csp_nonce_attr media %}")
+        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
+        self.assertHTMLEqual(
+            result,
+            '<link href="/path/to/css" media="all" nonce="abc123" rel="stylesheet">\n'
+            '<script src="/path/to/js" nonce="abc123"></script>',
+        )
+
+    def test_with_script_object(self):
+        media = Media(js=[Script("/path/to/js", integrity="sha256-abc")])
+        t = Template("{% csp_nonce_attr media %}")
+        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
+        self.assertHTMLEqual(
+            result,
+            '<script src="/path/to/js" integrity="sha256-abc"'
+            ' nonce="abc123"></script>',
+        )
+
+    def test_output_is_safe(self):
+        media = Media(js=["/path/to/js"])
+        t = Template("{% csp_nonce_attr media %}")
+        result = t.render(Context({"media": media, "csp_nonce": "abc123"}))
+        self.assertIn("<script", result)
+        self.assertNotIn("&lt;", result)
+
+    def test_script_with_conflicting_nonce_raises(self):
+        media = Media(js=[Script("/path/to/js", nonce="static")])
+        t = Template("{% csp_nonce_attr media %}")
+        msg = "Script has conflicting attributes: nonce"
+        with self.assertRaisesMessage(ValueError, msg):
+            t.render(Context({"media": media, "csp_nonce": "abc123"}))