RE: SteemWorld ~ Weekly Support ~ #24
Yes, XSS attacks can be very dangerous, especially when the user don't use any browser plugin to prevent data getting sent to untrusted sites. I would always recommend to install something like uMatrix (on Firefox). I won't ever enter the web without it being active.
There is one case, in which it would have been possible to access the users inputs on SteemWorld (but only without uMatrix). If a user would have visited an infected profile that contains the JSON data in the visible account operations and after that (without closing the tab) visited his own profile via the 'Switch Account' button. The attacker would have injected his script, which would then still reside inside the DOM of the current tab.
Thankfully that didn't happen and thanks to your hint it will never happen in future.