Unintended solutions for XSS 5 - 7

[fluffy-awoo]

According to the descriptions, the intended for both XSS 5 and 6 is to make admin publish their post but both are solvable with cookie leak. And XSS 7 is solvable with username/password leak (in cookie) and login as admin instead of using the admin's leaked cookie. Just to confirm these are unintended? My patch would be to make flask sign the cookie and disable httponly so cookie is still readable thru javascript