XSS attack means game over, and no httpOnly cookie is gonna save you. Here’s why:
1. I copy the exact html and css of your sign-up form, but make it send data to my server
2. I perform XSS that replaces page content with that malicious form
3. 99% of users think they should sign in again
4. Profit: I now have their login and password.

Plot twist: my app is actually useless piece of shit, no user data available, you have passwords that my app generated and forced users to use it so users don't use that password anywhere else.

Silver lining: you have email list that you can spam as you want with Nigerian prince's emails

Yeo :p XSS is fun!

And your example is perfect: the user won't even ask themselves to log in another time.

It's still difficult: you need some original access to the platform.

I just finished a pen test of our platform (No XSS, but a couple of interesting things found).

But I DO know how to make an XSS hack of my own platform (It's just so obscure, pen testers won't find it).