[Oduig]

Isn't XSS only a client side danger? For URLs, this is relevant since you can post a malicious link and people can click on it. It's much harder to get someone else's browser to accept a cookie you made for a specific website.

Of course, cookies are still client-side data and should not be trusted. But XSS is not a problem here. Correct me if I'm wrong.

[trebor]

Not if your server environment is running Node.js! If you start reading cookies and potentially evaluating their content, this could have a major impact on a Node process. That said, I doubt that you could hack a running Node process with this without the system using eval() on the cookie contents. I've been wrong before....