Although the above image show a very silly use of XSS, it could quite easily be used to craft a page to encourage journalists and readers to enter their passwords - and then send them off to criminals.
What's unusual is that it appears to be powered by Google Custom Search - which should really be robust against this source of attack.
I strongly encourage people to read and understand the OWASP Guide to XSS - and their other fine guides.
It will save a lot of heartache later on.
- 20th February 2014 - Disclosed via their "technical problems with the website" form.
- 21st February 2014 - No response, so escalated to the Executive Editor.
- 26th February 2014 - Confirmed fixed.