XSS vulnerabilities and form entry modules

While working on XSS vulnerabilities, i realized that our form entry modules (htmlformentry, xforms, etc) officially allow the end user to include JavaScript. This opens a wide door to XSS attacks. But such a door that we cannot close because of the necessary functionality that JavaScript brings to the forms.

Does any one know how we can prevent XSS attacks, but without losing this JavaScript functionality?

I don’t know of a way to address this.

A user who is able to author forms, someone needs to already have an account with pretty high-level access to the system. If we somehow prevented them from writing malicious javascript, they would still have lots of ways to attack the system.

I would rank this very low in my threat model, and basically I would ignore this.

(Importing forms from some other source, as opposed to authoring them, is a somewhat more realistic attack vector. Perhaps we could show a warning the first time you import a HTML Form or XForm that includes JS?)

This is a realistic way to handle it. If you author it, assume you want whatever happens to happen.