When a script kiddie injects a chunk of javascript or a frame into a website, it generally gets fixed pretty quickly and everyone laughs about it. Maybe developers should think twice – those XSS exploits can cause a lot of harm, as detailed here.
I just got though jumping through hoops, getting special characters stripped from forms galore in an app. It was a pain in the butt, and the whole time I was thinking “who cares” if someone sticks a random reference to some other site, or a smiley faced pop-up. I did the work anyway, but I certainly won’t be shrugging off the risks anymore.
***UPDATE***
Brian Krebs has uncovered a few big sites that are affected by XSS. The NSA? Heh.