disabling javascript is the most effective method against XSS, so it's really bad choice to not be able to do it simply. not that firefox would be that security-minded in other areas regarding to javascript (XSS + form autofill without SecureLogin addon = fun & profit for hackers)