If you don't think that malicious scripts can harm your site, you are wrong. Here is a list of what a malicious script could do:
- Remove itself from the DOM so that it can't be traced
- Steal users' session cookies and enable the script author to log in as and impersonate them
- Show a fake "Your session has expired. Please log in again." message that sends the user's password to the script author.
- Register a malicious service worker that runs a malicious script on every page visit to that website.
- Put up a fake paywall demanding that users pay money to access the site that actually goes to the script author.
Please, don't think that XSS won't harm your website and its visitors.