- A script tag, either inline or with a "src=" attribute for an external file.
- An "onload=", "onclick=", "onmouseover=", or other "on_event_=" attribute.
The ways I've identifid in which a page can include other (sandboxed) code are:
- embed tags.
- object tags.
- applet tags.
One question I have here (and this may be considered "future-proofing") regards how WebAssembly bytecode is loaded. Just my cursory googling hasn't determined how that works exactly.
While PDF's can be loaded in most modern browsers without extensions or anything, I consider PDF's to be outside of the scope of this question because while they can include arbitrary (sandboxed) code, this code cannot interact with the webpage.
I also consider things such as HTML5 video to be outside the scope of this question because they don't run arbitrary code.
I do, however, desire for this script and plugin stripping feature to be ironclad. If somebody were able to use tricky measures to slip code by this feature, the tricky measures which might be employed are relevant to this question as far as I'm concerned.
And, ways to include code which only work in some browsers and not others are also in-scope.
Are there any other kinds of plugins or languages that can be included in a webpage that I haven't considered above?