It is difficult: you need to test every URL of your application and check if specific patterns are present in the reply (and it is very difficult to have a good algorithm which can understand which is good and bad javascript, or you need to configure this scanner which can be long and tricky).

There is a realtime open source solution called mod security on the server side. It is a web application firewall: it can detect specific patterns in requests and / or responses. It works on apache as a module. This is mainly a production solution, and does not detect injection during development. Furthermore, you need some experiences to tune it (what is good and wrong in the data exchanges with our clients) which can be tricky and does not protect against new attacks or more intelligent attacks (re-encoding characters for instance).

By the way, another solution is to use Content Security Policy but it is not available in all browsers (well, no one at the present time, wait for Firefox 4 ;-).