-1

I know that this question already has been asked before - and I find this answer to be very useful (https://stackoverflow.com/a/550583). Even though it doesn't completely deliver the wanted outcome.

Some background: I am building a small CMS where a website can be edited through the frontend. After the edit is complete the DOM is saved via PHP to a HTML file. Some websites include js-files which manipulate the dom or load data via AJAX. As those changes shouldn't be in the final output, javascript should be blocked. If you have any other idea how to go about it please let me know.

I hope the question is clear - how should I go about it, that the "external" javascript of the page is stopped, but I am still able to manipulate the DOM by my own js-file.

Thank you

jakobsturm
  • 13
  • 4
  • 2
    nope. Some people already have JS disabled by default in their browsers, but it's a user option - not a developer one – treyBake Jun 05 '19 at 11:01

1 Answers1

1

You can implement a Content Security Policy to only allow JS to be loaded if it is from a specific domain. This will allow you to block inline JS and JS from other domains. You'll need to tailor it based on what you want to allow in the way of JS and other resources.

You can, and should, also sanitise the user inputted HTML.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335