Hi @ask ,
As Bruce said, we should do it by using server coding like this article said.
Besides, for old bowser we could use X-XSS-Protection response header. More details, you could refer to this article.
For morden browser, you could set the Content Security Policy header to enable the XSS protection checking. More details, you could refer to this article.