It's not spoofing we have to worry about. With JavaScript enabled for us, this site is basically *allowing* the "cross-site scripting" vulnerabilities we see reported to BugTraq when people are permitted to execute JavaScript via, say, Hotmail.

In short, all someone has to do is use JavaScript's cookie code to fetch your PerlMonks cookie and deliver it to the malicious user. You don't even have to click a button. Put the JavaScript in an <img src="javascript:do_evil()"> tag, or any of the other dozens of ways of invoking JavaScript, which will neatly circumvent most regexp means of preventing it. The browser has to assume that all code and content coming from a web site is "sanctioned" and approved by that web site, so anything that comes in and tries to muck with the site's cookies or whatever has to be considered legitimately from that site, which means it'll be permitted.

The bottom line: Allowing anybody to put their own content on your web site (such as message boards or sites like this) is a bad idea unless you severely limit what they're allowed to put up. This includes all scripting languages and quite a lot of HTML tags and attributes. As much as I'd hate to see JavaScript go, it's simply not possible to write a secure "parser" that will remove evil JavaScript and permit what's left.