Well for your website you´ll often have to include external JavaScript like tags of ad partners, external adserver etc.
These foreign JavaScript is always a security risk, if a optional enemy is able to change the external JS he might take effect of CrossSite Scripting on your site. So how to protect against XSS from partners you need to include but which are possibly evil.
Well there might be the solution of a PHP based JavaScript interpreter wich could handle external JS in a server based sandbox,
J4P5 might be a solution to it it makes you able to run JavaScript from your PHP Server so it´s a kind of interpreter to it. Based on your server you need to evaluate the JS generated code if it is not generating possibly eval JavaScript. It might cause some disadvatages like if ad tags try to determine your browser, ip, and maybe some JS scripts are not working of cause will not have a good effect on performance but might prevent some XSS security issues, specially if you include JS from an untrustable third party.
I ll try it out in the next time.