Depends to much on the site , you need a link where what you input is echoed in the page so for instance if there a search box that lets you search for 'hats' and then the next page says something like:
Found 10202 results for hats
We could change the word hats then to our own html if it was not properly checked , but this is doubtfull. Cookie grabbers are easy to stop now days with some simple built in functions. No ones really going to speand time investigating this though as coming across a xss can take alot of time , skill and most of all alot of luck.
Here is a e.g of a cookie grabber on neopets:
(you need an account to see links) rox
notice how when we visit this link 'xss rox' is in the source code?
Lets change it up a little to some html....
(you need an account to see links)
Oh neat now it shows a love heat gif using image codes .
And here is what a actual cookie grab would look like:
(you need an account to see links)
stealcookie.js can then be used to log our browser cookie.