Use a Content Security Policy (CSP) Header
You can disallow inline scripts and external scripts with a strong CSP. This is the most reliable and standard-compliant method.
<meta http-equiv="Content-Security-Policy" content="script-src 'none';">
What it does: Blocks all JavaScript from any source.
Limitations:
Only affects scripts after the header is parsed.
Any already parsed script tags before this won’t be affected.
You may not control server-set CSPs (if working in certain environments).