Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities: Cross Site Scripting. Cross Site Request Forgery has also become a large scale problem in Web Application Security, though it is not a primary focus of Content Security Policy.
In an ideal world, this would be great, but getting all the browsers on board and implemented may take a while. I was thinking about this the other day and I don't see why the browsers/w3c can't standardise on some sort of tag or conditional comments that says don't execute any script in here. This would be simple to use and surely simple to implement. Browsers already know what to do with
<dontexecutescript> <?php echo $this->escape($userProvidedContent);?> </dontexecutescript>
<!--[dontexecutescript] --> <?php echo $this->escape($userProvidedContent);?> <!--[dontexecutescript]-->
I'm no expert on XSS, but I'm pretty sure this would solve most of the issues encountered.
Okay, so one obvious problem might be that the
$userProvidedContent contains a closing
</dontexecutescript> tag, but that's just semantics. Unique identifiers for each block, ignoring tags that don't match up, these browser developers are clever, they could come up with something.