Script Alert Statements - Is This Really a Bug?

The potential for harm is actually pretty high with cross ihtscripting. You're trying to get someone else's browser to interpret something as code that you entered in somewhere. Andan if they let it just be raw andt you might have code in it, then you could just do something like a script alert statement. If you can get access to the cookies, a lot of times that means you can getting access to the session token,. which means that you can then impersonate that user and and do bad things.