Content Security Policy headers can be used to prevent XSS attacks. Caveats are, user must be using a modern browser, and you have to move all inline scripts out to a .js file. Read more here: http://content-security-policy.com/