Cross-frame scripting attacks usually require the attacker to have the end user open a page that the attacker owns, and that page hosts an <iframe> with your legitimate page. This is something that the end user must look out for as it is not something user interface contols can influence. What I can suggest you look into is adding and X-Frame-Options: SAMEORIGIN header so that your pages can only be framed by your domain. This can allow contorls of ours that use <iframes> to still work, while reducing the risk of an attacker using your pages in a frame attack.
If the attacker already can inject content into <iframe> elements inside your site, then the site is already compromised because the attacker can already control it, and they could add keyloggers and other malicious code immediately, without modifying framed pages.