This is a genuine concern. The other risk is that you get XSS into a Chrome / privileged Javascript context, which is probably the simplest way to get reliable arbitrary code execution in e.g. Firefox.<p>See e.g: <a href="http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-roberto_liverani-nick_freeman-abusing_firefox.pdf" rel="nofollow">http://www.defcon.org/images/defcon-17/dc-17-presentations/d...</a> [PDF warning]