Allowing JavaScript and preventing XSS

Dear Rails enthusiants,

I'm currently developing a web app that allows each user to modify his
page, using any HTML and any JavaScript. Sure, they can mess up their
own page, but what I worry is cross-site scripting vulnerabilities,
especially cookie replay/session hijacking.

What I worry is that if a user creates a page and fetches the current
cookie, and save it somewhere else. The user who visits the page
doesn't know about that.

I wonder what's the solution for this. Thank you in advance.

Oomph, I'm not considering subdomains yet, too complicated.

I'm not planning to limit JavaScript, but more like designing which
security works best so that JavaScript can't take advantage of it (so,
it's more the server-side).

Maybe using HTTP authentication? But this way, cookie/session doesn't
work. Maybe HTTP auth + cookie? (so that cookie itself doesn't count
as "legit" session).

I'm also considering associating an IP address with a session, but I
understand that some people have rotated proxies and a group of people
even surf with the same IP. So I don't think it's a good solution.