Was about to file a bug report for XSS but I’m sure you’re already aware. 😂
Fwiw, I think this is a terrible idea as RCE is never good.
Discussion
I have thought about this, but I’m not really sure what maliciousness could be done with JavaScript contained on a single webpage. If I had a login option on every user-generated page, I could see an issue, but is there anything that would make a Nostr Sites page dangerous? I was thinking at least every page is open source and the code is available on nostr
Tttttrrrruuuueeeee. And you’re already trusting other peoples JS when browsing everywhere else.