This the solution that I found against Script Injection:

First of all, backup file. htaccess.

Then paste the code below in .htaccess:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

What is the code doing?

Check if the application contains <script> and if someone try to change the variable values  GLOBALS and  _REQUEST variables.

If this happens, then the browser is closed and the 403 error is returned.

I hope this is usefull. Enjoy