Anything you can do XSS can do better
Cross Site Scripting (XSS) is the number one vulnerability in Drupal code¹ and one of the scariest forms of exploits, because anything you can do XSS can do better².
More serious than <script>alert('xss')</script>
- Changes the site title and site email address
- Changes the administrator's username, email, and password
- Sets a site-offline message and puts the site in offline status
- And finally, logs the current user out of the site³
How do you protect against this?
Against this exact demo? You disable the use of the Full HTML input format by anonymous users. In general you should understand how to configure your site securely and know what actions you allow untrusted users to perform.
The attack vector in the video is a comment that has Full HTML enabled for anonymous users. Note that Drupal does not come by default with Full HTML enabled for anonymous users.
Be mindful of contributed modules
It's also common that contributed modules print user-supplied data insecurely, opening up for an XSS attack. Popular modules are often more vetted and secure, and thus safer to use. Greg has written recently about some tools to use in picking modules. Also, if you're writing code, make sure you're correctly using the APIs and following best practices.
Stay safe, community!
¹XSS is the number one vulnerability in Drupal code based on times reported in Drupal core and contributed project Security Advisories as published by the Drupal Security Team. Read the report on Drupal Security for more information and stats.