A simple technique to disable the script injection attacks on your web pages is to disable the inline JavaScript. This means that most popular ways to inject variables and code fragments into your pages will have to change. I will show the JavaScript to JavaScript rendering engine for Express that allows you to set very strict and safe Content-Security-Policy on your website. Not only my approach is much safer, but it will be very testable as well.

As a bonus I will show another project that can prevent sensitive information leaking to GitHub and NPM.

https://glebbahmutov.com/blog/disable-inline-javascript-for-security/ - The explanation of Content Security Policy standard, how it works, its benefits, and examples
How bad things can happen when the server-side rendering or injection is combined with web application templating, see these slides for the full example.
https://glebbahmutov.com/blog/javascript-to-javascript-template-engine/ - The tiny middleware for Express server that removes the need to use the extremely unsafe inline JavaScript code to inject variables and code fragments
ban-sensitive-files