I just got though jumping through hoops, getting special characters stripped from forms galore in an app. It was a pain in the butt, and the whole time I was thinking “who cares” if someone sticks a random reference to some other site, or a smiley faced pop-up. I did the work anyway, but I certainly won’t be shrugging off the risks anymore.
Brian Krebs has uncovered a few big sites that are affected by XSS. The NSA? Heh.