Out of curiosity, do you have a recommendation of a tool / structure for an automated test to catch that type of injection? This is something I haven’t considered in my own pipeline that I’d like to address.
For external files in particular you can use Content Security Policies [1] in the server configuration.
Injecting third-party content then requires editing both your site and the server setup. Of course, you can make the policies more or less strict depending on how much you want to tighten this kind of attack vector.
