Visual Security Policy boxes on Drupal
If we wanted to stop this using boxes, we'd probably take a look at the page and think “well, that's user-inserted content there and there... there could be sharks!” so you could put a box around each comment separately. And then we might realize that login box contains the username and password, so we should probably protect it too. Into a box it goes! That way if we missed a source of user content, it's still protected.
Note: This is part of my presentation on Visual Security Policy for the Web.
Note 2: As far as i know, there is no such attack possible on the Drupal forums; I just used them because they made a nice screenshot.