There's an excellent post by Jeff Atwood about protecting your site's cookies from being used in one of the most common forms of XSS attacks. What it boils down to, is to set the HttpOnly attribute on the cookies you use in your site, especially those that are used for login. If you don't know why this is important, read Jeff's 2008 post on the issue.

If you use the built-in User functionality in Django (which, surely, you do), it's not completely obvious how to change the session-related cookies to use the HttpOnly property. Well, since December 2010, Django has a setting for exactly this goal (view the full changeset). In your settings.py, set the following:

SESSION_COOKIE_HTTPONLY = True

Session-related cookies will now automatically contain the HttpOnly property and modern browsers will make use of it to protect you and your visitors from this form of attack.