I’m presently working on a project that handles the import of HTML from external sources, much of which will be fed through HTMLPurifier to ensure the HTML I render for the user is valid and safe. However, while pondering ways I can make this safe, I wondered how to find out quickly if some malicious JavaScript did make it through to a rendered page.
Thus, I wonder whether a small piece of JavaScript would be helpful here. It sends a daily heartbeat (via AJAX) to show it is live and operational. It will also periodically check the page for unauthorised script tags and tag inline script, and will send an alert to the server if items that are not safe-listed are found. It can report the currently logged-in user too, so if a problem is discovered, it is immediately clear which user accounts need to be reset.