Maybe it's been a while, but I thought that NoScript was per-domain. In the event of a XSS, the javascript maybe included from the page's domain. NoScript wouldn't help you here. IIRC, NoScript wouldn't say, "Hey this script wasn't here the last time you visited this domain, do you want to allow it?"