HTML5
I thought HTML5 was the cure by keeping code separate from content. The server produces static pages. JS requests data separately, builds HTML elements, then places the data into text attributes. At no point does user-generated dynamic content get into the executable or structural areas.