idk why youre getting downvoted because it's a good question and people need to ask more security questions.
Any website I can inject malicious javascript into, I can steal your cookies from (assuming the httponly flag isn't set on the cookie).
If you were logged into one of these whois sites and they didnt have the httponly flag set on your auth cookie, an attacker could send you to a page on the site that contains malicious javascript that could phone home with your auth cookie, letting the attacker hijack your session.
You can defend your own websites from these kinds of attacks by setting up a Content Security Policy and using the 'httponly' flag on auth cookies.
Whenever you have credentials stored on the same host as the dns frontend. I imagine that a few domain-registrars will have similar tools available on their servers, so that users can check data on their own domains.
Just wait until somebody turn it into a xargs bomb.
But yes, XSS is a serious problem. Even if it's done in a site that handles no valuable info (sites that display whois normaly handle very valuable info), it can be used to launch attacks against other sites.
One can imagine that I trust who.is and will click on links that go there, but now it can redirect me to an evil site that will attempt to exploit my browser.
Any website I can inject malicious javascript into, I can steal your cookies from (assuming the httponly flag isn't set on the cookie).
If you were logged into one of these whois sites and they didnt have the httponly flag set on your auth cookie, an attacker could send you to a page on the site that contains malicious javascript that could phone home with your auth cookie, letting the attacker hijack your session.
You can defend your own websites from these kinds of attacks by setting up a Content Security Policy and using the 'httponly' flag on auth cookies.
http://en.wikipedia.org/wiki/Content_Security_Policy