How can I prevent an XSS attack that places a <script> element in the query string?