If you missed something else, like a CSRF attack, an attacker could get you to submit an XSS request that sends your cookies to him.
There are other defenses against that, like having HttpOnly set on your cookies. Once you decide to let one particular thing through, though, you've lost defense in depth.
There are other defenses against that, like having HttpOnly set on your cookies. Once you decide to let one particular thing through, though, you've lost defense in depth.