I am not sure if this particular long term solution to cross-site scripting (XSS) has been discussed yet, but I thought it is worth a mention since I thought of it.  Yes, I have an ego that wants to be polished daily. 🙂

The idea is to introduce 'safety' attributes to HTML and XHTML that allows web developers to disable dangerous DHTML features like scripting within elements that contains content from users.  For example:

comment entered by visitors

Fine-grained safety settings will allow some scripting features to continue working while disabling others.