Bryan,
XSS attacks are already possible by those who can edit
the JS files by
using the document.write('<script src=" trick.
That is:
a) Available to sysops of particular project only
b) Monitored, is in watchlists and under revision control.
c) General codebase is constantly monitored for XSS problems.
Again, this already happens.
How? When?
BR,
--
Domas Mituzas --
http://dammit.lt/ -- [[user:midom]]