But if someone adds a <script> element to some template in your CMS and it doesn't get filtered out...
It would be nice if browsers implemented an <endscript> tag and refuse to parse anything below it as a script. It would raise the bar on injection attacks for very little additional complexity. Slightly troublesome in that all of your buttons and similar would have to just call already defined functions (no inline code), but that's a reasonable tradeoff I think.
Content Security Policy can do things very close to that. You can't say "don't load anything after this", but you can whitelist script sources and forbid inline code.
It would be nice if browsers implemented an <endscript> tag and refuse to parse anything below it as a script. It would raise the bar on injection attacks for very little additional complexity. Slightly troublesome in that all of your buttons and similar would have to just call already defined functions (no inline code), but that's a reasonable tradeoff I think.