XSS attack is long recognized as the major threat to the security of web applications. With the emergence of Web 2.0, Ajax and social networking, recent XSS attacks are able to induce massive assaults within a short time through worm-like self-reproduction.　Traditional defense based on server-side input-output validation is not able to stop them from spreading. In this thesis, we proposed a novel cooperative defense mechanism to solve the problem from both ends.　At the client side, customized security policy are supplied by the more knowledgeable web application provider to assist client-side malicious script filtering to protect the client from being compromised by attacks. At the server side, the detection incidences reported from the client are automatically utilized to enhance the server-side output-filtering rules which immediately stop the malicious scripts from spreading while a final remedy to the vulnerability is still being developed.