I’ve given this a (brief) bit of thought in the past, the best answer is probably “use Content Security Policy” https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP . That should let you:
- disallow inline CSS/JS (but then you can’t use it yourself either)
- restrict CSS/JS files to being loaded from particular domains (to prevent your users just hosting the JS elsewhere or loading 10MB of junk from CDNs)
Unfortunately you can’t add CSP headers in the design, so you’d have to use triggers for now. There’s a SquizMap request about adding this ability to Design assets https://squizmap.squiz.net/matrix/12263
Less good ideas …
In theory you could use a Paint Layout to consume
%asset_contents% as an SSJS variable and then do some processing before you print it.
// Remove all references to Bart
var q = "%asset_contents^json_encode%";
q = q.replace('Bart','');
This probably isn’t a good idea because:
- it intercepts asset_contents before
%globals_ etc have been processed so anything incorporated with
%globals_ will sneak past the filter
- Subnote - you could try to filter out %globals_ to stop your publishers from doing any nesting?
- It’ll probably break some complex Paint Layouts you provide for your publishers to use
- you’ll probably end up needing multiple JS libraries to handle the HTML properly, it’s gonna get out of hand
- probably super easy to accidentally break pages
Performance probably isn’t too bad as long as you’re using V8 for SSJS. On balance I strongly suspect this approach would cause you more pain than happiness in the fullness of time.