Half an hour of research has shown that still many websites don’t filter their HTML for potential XSS attacks. I just entered the simple search term “<script>alert(1)</script>” into search boxes of well-known news sites in the USA, UK and Germany. I got 7 results of vulnerable websites. Some of them just include the search term unescaped into the website, others get in trouble when including the term inside embedded JavaScript strings. In the latter case I had to change the term a bit to get the script executed. The following sites are vulnerable:
Should check your code, guys and learn …