dom-security-hardeninglisted

# DOM Security Hardening ## Purpose XSS attacks kill applications. This skill hardens the DOM attack surface by enforcing a strict Content Security Policy, eliminating unsafe DOM APIs, and stripping execution vectors like inline scripts and styles. Following this skill is MANDATORY for any user-facing web application handling user input. ## When to use - Setting up the initial `index.html` or document root of a web application - Refactoring legacy code that relies on direct DOM manipulation - Auditing a frontend codebase for XSS vulnerabilities - Processing rich text or markdown input from untrusted users - Creating forms or chat systems that accept user input ## When NOT to use - CSS framework design (separate concern) - React component prop validation (use React Component Design) - Backend input validation (different layer, still required) ## Inputs required - HTML document structure - JavaScript files with DOM manipulation - Understanding of Content Security Policy basics - Sanitizer library decision (DOMPurify, sanitize-html, etc.) ## Workflow 1. **Enforce CSP**: Add strict `<meta http-equiv="Content-Security-Policy">` tag in HTML `<head>` (or HTTP headers) 2. **Externalize Assets**: Extract ALL inline `<script>` and `<style>` blocks into separate `.js` and `.css` files 3. **Remove Inline Events**: Replace inline `onclick="..."`, `onchange="..."` with standard `addEventListener` bindings 4. **Replace Unsafe DOM**: Replace `innerHTML`, `outerHTML`, `dangerouslySetInne