I found a reference on Slashdot to this article going through a real xss attack on informit.com, showing how easy it is and the vulnerabilities that we as developers need to protect against.

It’s an interesting read, very easy to follow and pretty dangerous if not protected against.

I found a reference to Acunetix web vulnerability scanner, that supposedly tests a website automatically against this. But the pricing is pretty high and I’d rather want a good rules of thumbs list for developers.