With the case of XSS attacks, it's direct malicious code injection and that opens up an interesting legal loophole.
Your computer has been attacked and files have been injected.
This is a federal crime (same as a virus maker) that can pop up the Exclusionary rule which is constitutional law.
But this also directly challenges the fourth amendment under :
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
It states that probable cause is NOT enough for a warrant, unless it has a description of exactly what is expected to be found and where.
Illegally obtained evidence is referred to as "evidence acquired by violating a person's constitutional protection against illegal searches and seizures; evidence obtained without a warrant or probable cause"
In this case, probable cause is a completely unknown and because the security of the hard drive has already been compromised, no files can be proven to belong to the user, nor can they be disproved as a plant.
TLDR> bill of rights says no.