It is a good idea to keep an eye on sla.ckers.org if you are curious whether your organization’s shorts might be swinging in the breeze. Take the Google Search Appliance post from November 17th, for example:

an XSS in most sites that uses the google search API with it’s generic results template. The api allows any encoding method to be used for output, and doesn’t sanitize until after the page has been converted. (Google.com uses the same API but it’s unaffected because it santizes in UTF8 before converting to the output encoding)

Plenty of vulnerable sites (links to exploited pages) provided by the post, including stanford.edu, fda.gov, unc.edu, nhl.com…

Note the hint to sanitize before conversion, and the difference found between the appliance and the mothership.