diff --git a/content/posts/infosec/attack-of-the-zip/2024-02-15-attack-of-the-zip.md b/content/posts/infosec/attack-of-the-zip/2024-02-15-attack-of-the-zip.md
index 50d62e9fc..a29c3c6d5 100644
--- a/content/posts/infosec/attack-of-the-zip/2024-02-15-attack-of-the-zip.md
+++ b/content/posts/infosec/attack-of-the-zip/2024-02-15-attack-of-the-zip.md
@@ -11,7 +11,8 @@ tags:
   - linux
   - windows
 thumbnail_src: assets/attack-of-the-zip-thumbnail.jpg
-tocOptions: '{"tags":["h2","h3","h4"]}'
+tocOptions:
+  tags: [h2, h3, h4]
 preamble: |
   *Last month, I designed a CTF challenge involving zip file attacks. This post is a collection of the techniques, insights, and notes I've gathered. I've also uploaded the challenge on [GitHub](https://github.com/TrebledJ/attack-of-the-zip) along with a simplified playground.*
 ---
diff --git a/content/posts/infosec/drogon-csp/2024-08-18-abusing-server-side-rendering-in-drogon.md b/content/posts/infosec/drogon-csp/2024-08-18-abusing-server-side-rendering-in-drogon.md
index c018b34cc..f35b0c1d3 100644
--- a/content/posts/infosec/drogon-csp/2024-08-18-abusing-server-side-rendering-in-drogon.md
+++ b/content/posts/infosec/drogon-csp/2024-08-18-abusing-server-side-rendering-in-drogon.md
@@ -11,7 +11,8 @@ tags:
   - writeup
 thumbnail_src: assets/drogon-thumbnail.png
 thumbnail_banner: true
-tocOptions: '{"tags":["h2","h3","h4"]}'
+tocOptions:
+    tags: [h2, h3, h4]
 related:
     posts: [attack-of-the-zip]
 # preamble: |
diff --git a/eleventy.config.js b/eleventy.config.js
index 42c850dd2..26453efd3 100644
--- a/eleventy.config.js
+++ b/eleventy.config.js
@@ -140,7 +140,11 @@ module.exports = function (eleventyConfig) {
       return content;
     });
 
-    eleventyConfig.addTransform('htmlcsp', htmlcsp);
+    // Indirect: wrap addTransform with addPlugin, so that bundled inline JS
+    // gets substituted before calling htmlcsp. 
+    eleventyConfig.addPlugin(function (eleventyConfig) {
+      eleventyConfig.addTransform('htmlcsp', htmlcsp);
+    });
   }
 
   // Customize Markdown library settings:
diff --git a/eleventy/plugins.js b/eleventy/plugins.js
index 5ff23ab7d..b8647b106 100644
--- a/eleventy/plugins.js
+++ b/eleventy/plugins.js
@@ -18,7 +18,7 @@ module.exports = function (eleventyConfig) {
   eleventyConfig.addPlugin(pluginNavigation);
 
   eleventyConfig.addPlugin(pluginBundle, {
-    bundles: ['inlinecss'],
+    bundles: ['inlinecss', 'inlinejs'],
     toFileDirectory: 'cb',
     transforms: [
       async function (content) {
@@ -38,7 +38,7 @@ module.exports = function (eleventyConfig) {
           return output.styles;
         }
 
-        if (this.type === 'js') {
+        if (this.type === 'js' || this.type === 'inlinejs') {
           const result = await minify(content);
           return result.code;
         }
diff --git a/partials/_includes/utilities/bundle-js.html b/partials/_includes/utilities/bundle-js.html
index e50f85b8c..f1aaf66f9 100644
--- a/partials/_includes/utilities/bundle-js.html
+++ b/partials/_includes/utilities/bundle-js.html
@@ -1,6 +1,11 @@
 {# Bundle JS. #}
-{% js %}
+
+{# Some variables are per-post. For instance, some posts have different ToC options. #}
+{% inlinejs %}
     var tocOptions = {{ tocOptions | default({}) | dump | safe }};
+{% endinlinejs %}
+
+{% js %}
     var site = {
         typewrite: {{ site.typewrite | dump | safe }},
         search: {{ site.search | dump | safe }},
@@ -55,4 +60,6 @@
 {% set jsBundle %}
     {%- getBundleFileUrl "js" -%}
 {% endset %}
+
+<script>{% getBundle "inlinejs" %}</script>
 <script defer src="{{jsBundle}}"></script>
\ No newline at end of file