As for attacks against the server, that might technically be true… but XSS can still be used to modify (behind the user’s back) data going to the server, such as the details (like where to ship the item, or how many to buy) of a web purchase.

Claiming that sites with open XSS vulnerabilities are safe seems beyond naïve to me. While these vulnerabilities might not allow an adversary to access or modify database data, consider the classic phishing scheme, where an adversary tricks an unsuspecting user into clicking a link, that takes them to a site that *looks* like the one they’re expecting, but is in fact malicious. An XSS vulnerability could allow the adversary to take this a step further: instead of hosting a lookalike page elsewhere, he could use the XSS vulnerability, so the unsuspecting user would be accessing the legitimate page, under the correct domain name, with the proper SSL certificate, but with a bit of JavaScript to modify the page to send its data elsewhere.

Such an attack still requires a somewhat gullible user, but a urlencoded string at the end of a URL (where users are used to seeing session IDs and other code numbers anyway) or even hidden in a POST request, is a lot harder to spot than an incorrect, malicious domain name.