= Critique = Slashdot carried a link to an armchair security "institution" (Why make up a corny name for yourself, call it your company blog and expect kudos? Just blog under your own name!) that makes this claim: http://neosmart.net/blog/archives/194 "It is *of the utmost importance* to note that a page that has an XSS vulnerablity is no /more dangerous/ than visiting a random result generated by a Google search - something that users do all the time." This is quite false. He correctly identifies the first problem: social engineering an XSS url may provide (although why he doesn't consider this "more dangerous" is beyond me), however he misses the second problem, that since the XSS is on the actual host, the javascript can run in a state of elevated privileges for cookie access to that site. This lets you steal any of their cookies simply. His article is thus flagrantly ignorant, and it should simply be ignored. Everybody in the know already agrees that JavaScript is a gaping security hole and people shouldn't be running with it all the time. While he does credit to those trying to get JavaScript eliminated from the web, he discredits them by misleading the XSS's risk as a twisted argument to elevate the problems with JavaScript. One might argue that it only strengthens his point that JavaScript sucks because it is the very thing that enables the problem with cookies and XSS. However, he should have simply argued _that_ and improved his case. Now his title is simply too false to have a lasting impact, despite the good merits of his goal.